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Overview 


Protocols Tutorial 


History 
Fields defined 
Functionality Analyzed 
Common Problems 


e Hands-on Exercises 


Overview - 2 


Hands-on 
Troubleshooting 


Real-world Problems 

— Duplicate IP addresses 

— TCP window = 0 problems 

— Telnet performance issues 

— RARP server down 

— NFS incompatibility problems 


Questions guide students to solutions 
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Course Prerequisites 


¢ Ethernet Network Analysis and Troubleshooting, or 


¢ Token Ring Network Analysis and Troubleshooting, or 


¢ In-depth working knowledge of LANs and the Sniffer 
Network Analyzer 
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Major Topics 


The Internet Protocols TELNET 

IP FTP 

ARP TFTP 

RARP SMTP 

SNAP DNS 

ICMP SNMP 

Internet Gateways RUNIX 

TCP ONC (NES) Protocols 
TRLR NetBIOS/SMB; EGP (in 
UDP Miscellaneous section) 
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Troubleshooting Exercises 
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The Only Bad Question 
Is The One That Doesn’t Get Asked! 
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A Brief History of TCP/IP 
and The Internet Protocols 


Mid 


1970’s_ 1978 - 1979 1980 Jan, 1983 1983 1985 1990 


Intermet Architectures DARPA DARPA BSD UNIX NSF Currently used to 
Protocol and Protocols starts converting “All computers distributed with Takes active allow information 
development reasonably Research Nets connected to TCP/IP and roll in exchange between 
begins complete to TCP/IP ARPANET ARP (linking expanding the tally all research 
must use TCP/IP to Internet site enae 
TCP/IP” Ethemet and scientific and higher 
UNIX) education institutions 


in the U.S., and many 
commercial concems 
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RFCs 


e “Request for Comments” 


¢ Contain complete specifications for the TCP/IP protocol suite 


¢ Available hard copy from: 


Network Information Center 
800-444-4345 or 703-742-4777 


e Available via electronic mail from: 


mailserv@ds.internic.net 
Include in message body: 
document-by-name rfcnnnn where nnnn is the RFC number 
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as —s, 
Governing Bodies for TCP/IP Protocols 


Internet Society ISOC) 


Internet Architecture Board (IAB) 


Internet Research 
Task Force (IRTF) 


Internet Engineering Task 
Force (IETF) 


™ 
Working The Internet Research groups pursue 
groups develop Engineering Steering long-term research projects 
RFCs. Group (IESG) helps the to promote evolution of the 
IETF chair. Internet 
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Protocol State 


becomes obsolete 


consideration 


6 month delay. Implementations 
constructed. IESG approval. 


withdrawn from becomes obsolete 


consideration 


Draft 
Standard 


4 month delay. Two independent 
implementations interoperate. 
IESG approval. 


IAB action becomes obsolete 


Standard 


becomes obsolete 
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“Twas The Night Before Start-Up” 


Status of this memo: 
This memo discusses problems that arise and debugging techniques used in bringing a new network into operation. 
Distribution of this memo is unlimited. 


DISCUSSION 


Twas the night before start-up and all through the net, 


not a packet was moving; no bit nor octet. 
The engineers rattled their cards in despair, 
hoping a bad chip would blow with a flare. 
The salesmen were nestled all snug in their beds, 
while visions of data nets danced in their heads. 
And I with my datascope tracings and dumps 
prepared for some pretty bad bruises and lumps. 
When out in the hall there arose such a clatter, 
I sprang from my desk to see what was the matter. 


There stood at the threshold with PC in tow, 
An ARPANET hacker, all ready to go. 

I could see from the creases that covered his brow, 
he’d conquer the crisis confronting him now. 

More rapid than eagles, he checked each alarm 
and scrutinized each for its potential harm. 


On LAPB, on OSI, X.25! 
TCP, SNA, V.35! 
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no bug could hide long; not for hours or days. 
A wink of his eye and a twitch of his head, 
soon gave me to know I had little to dread. 


His eyes were afire with the strength of his gaze; 


He spoke not a word, but went straight to his work, 


fixing a net that had gone plumb berserk; 
And laying a finger on one suspect line, 
he entered a patch and the net came up fine! 


The packets flowed neatly and protocols matched; 


the hosts interfaced and shift-registers latched. 


He tested the system from Gateway to PAD; 


not one bit was dropped; no checksum was bad. 


At last he was finished and wearily sighed 


and tumed to explain why the system had died. 


I twisted my fingers and counted to ten; 
an off-by-one index had done it again.... 
Network Working Group 
RFC: 968 
V. Cerf 
MCI 
December 1985 
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Internet Protocol Family: An Overview 


¢ Connection-oriented byte stream protocol 
¢ Provides reliable end-to-end communication 


¢ Fragments and reassembles large packets 
¢ Connectionless, unreliable service 
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A protocol providing reliable file transfer 


A simple protocol used to exchange files between 
networked stations 


A protocol for transmitting character-oriented terminal data 


A protocol allowing reliable exchange of electronic 
messages 


A protocol for finding information about network addresses 
using a database distributed among different name servers 


A protocol for managing TCP/IP and other networks 


RUNIX, or Remote UNIX, is a set of commands and 
protocols for accessing remote UNIX resources. 


@ 
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Addressing in a 
TCP/IP Environment 


Unit of 
Transfer Address 
“Messages” Process I.D. Specifies a Host and a Process 
“Segments” Port Address Specifies a Process 
S 
; . ocket 
“Datagrams” IP Address Specifies a Log ical 
Network Device 
’ 
“Frames” LLC Address Specifies a Process 
Mac (DLC) Addre: Specifies a Physical 
Network Device 
Bits 
O 
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Internet Protocol Family 


Network 
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Ip-1 
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What Does IP Do? 


¢ Best effort delivery of frames across an internet 


¢ IP does not provide flow control or error 
control; higher layers must handle this 


e IP Gateways route frames from one network to 
another 


e IP fragments and re-assembles frames for 
traversal across networks that require small 
frames. 


Network 
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IP Functionality 


Gateway 
(Router) 


LLP 1} LLP2 


ULP = upper layer protocol 
LLP = lower layer protocol 


WS 
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IP Addressing 


e Each computer on the network is assigned a unique 
32-bit address 


e Address consists of a network part and a host part 
¢ Local sites assign host part 


¢ Network part is assigned by: 
— Internet Network Information Center 
- 800-444-4345 
— 703-742-4777 


Network 
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Classes of Addresses 


Network 
General 
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Dotted Decimal Notation 


e Four decimal integers separated by periods 
¢ 10000000 00001010 00000010 00011110 


becomes 
128.10.2.30 


The first octet of a Class A address is in the range 0-127. 

The first octet of a Class B address is in the range 128-191. 
The first octet of a Class C address is in the range 192-223. 
The first octet of a Class D address is in the range 224-239. 
The first octet of a Class E address is in the range 240-247. 


The Network Information Center reserves numbers 0.x.x.x, 127.x.x.x, 128.0.x.x, 191.255.x.x, 192.0.0.x, 223.255.255.x, and 224.0.0.0 - 255.255.255.255. 
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IP Routing 


192.1.1.1 210.1.1.1 Routing Table For 
Gateway A 


Network 
210.1.1.0 


Network 
192.1.1.0 


dd | 


¢ Routing table grows when networks, rather 
than hosts are added. 


Thi 
210.1.1.2 


192.1.1.2 


212.1.1.2 2211.11 


Network 
212.1.1.0 


¢ All traffic headed for a given network takes 
the same path 


¢ Traffic from Host X to Host Y may travel a 
different path than traffic from Host Y to Host 


Network 
221.1.1.0 


212.1.1.1 221.1.1.2 X. 
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Examine Compute IP Address 
Destination for 
IP Address. ID Destination Network. IN 


Source: Comer, "Internetworking with TCP/IP", 1988 
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Declare 
Routing Error 
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Ave ID to 
I Address 


Encapsulate 


Datagram 
Route Dati a 


as Specified 
in Table 


Route Datagram 
to Default | 
Galewas 
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IP Addressing: 


Subnetting 
X Bits Y Bits 


Network Address Host Address 


X Bits Z Bits Y-Z Bits 
Subnet Host 
Network Address 


¢ Used to differentiate LANs in the same campus. 
¢ Particularly useful when LANs are: 


— Different technologies 
— Too far apart 
— Congested 
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General 
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Subnetting in a Class B Network 


Rest of the 
network 


Pr all traffic to 


128.10.0.0 


Subnet 128.10.1.0 


Subnet 128.10.2.0 


Fassconcscoctanasaasansasadl Ysssasssacosooncnsoannscssad Rican 
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Subnet Address Masks 


¢ Used to identify which bits of the local address 
field indicate the subnet number. 


Network Subnet Host 


Logical and \~— Byte 1 —>|<— Byte 2 >| Byte 3 —>|<— Byte 4 —m| 


Operation 


Mask 255.255.252.0 
(in IP format) 
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Subnet Masks 
Binary to Decimal and Hex Conversion 


# Of 

Subnet Bits Binary Decimal Hex 
8 11111111 255 FF 
7 11111110 254 FE 
6 11111100 252 FC 
s 11111000 248 F8 
4 11110000 240 FO 
3 11100000 224 EO 
2 11000000 192 CO 
1 10000000 128 80 
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Class B Subnet Masks 
Binary # of 
Subnet of 3rd and 4th Possible 
Mask Octets Subnets 
255.255.255.0 11111111.00000000 256 
255.255.254.0 11111110.00000000 128 
255.255.252.0 11111100.00000000 64 
255.255.248.0 11111000.00000000 32 
255.255.240.0 11110000.00000000 16 
255.255.224.0 11100000.00000000 8 
255.255.192.0 11000000.00000000 4 


255.255.128.0 


*Note: We are avoiding using all ones or all zeros in the node part of an address C 
ewer 
. enera 
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# of Possible 
Nodes Per 
Subnet 


254* 
510 
1022 
2046 
4094 
8190 
16,382 
32,766 
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Class B Subnet Masks (continued) 


Binary # of # of Possible 
Subnet of 3rd and 4th Possible Nodes Per 
Mask Octets Subnets Subnet 
255.255.255.000 11111111.00000000 256 254* 
255.255.255.128  11111111.10000000 512 126 


255.255.255.192 11111111.11000000 1024 62 
255.255.255.224  11111111.11100000 2048 30 
255.255.255.240 11111111.11110000 4096 14 
255.255.255.248  11111111.11111000 8192 6 
255.255.255.252 11111111.11111100 16,384 2 
255.255.255.254  11111111.11111110 32,768 0 


*Note: We are avoiding using all ones or all zeros in the node part of an address 


© 
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Routing in a Subnetted Environment 


network 128.9.0.0 


all traffic to all traffic to 


128.10.0.0 128.11.0.0 
Port 3 Port 3 
Gateway A Gateway B 
Port 1  Port2 Port 1 Port 2 


Subnet 128.10.1.0 Subnet 128.11.1.0 


Subnet 128.10.2.0 Subnet 128.11.2.0 


Gateway A’s Routing Table Gateway B’s Routing Table 


* Gateway A not aware of subnetting on remote networks. * Gateway B not aware of subnetting on remote networks. 


Network 
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Subnet Mask Procedure 


Gateway A receives a frame with a destination IP address of 
128.10.2.6. Gateway A performs a logical AND using the 
Destination IP address and the subnet mask. This is how the 
gateway learns which sub-network the source device is 


attempting to reach. 


Destination IP Address = 10000000 00001010 00000010 00000110 


Subnet Mask = 11111111 11111111 11111111 00000000 
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IP - 16 


Logical AND 
00000000 


Destination sub-network number 128.10.2.0 
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Subnet Mask Procedure 


Network 128.9.0.0 Gateway A’s Routing Table 


all traffic to 
128.10.0.0 
Port 3 


Gateway A 
Port 1 Port 2 


Subnet 128.10.1.0 


Subnet 128.10.2.0 


* Gateway A not aware of subnetting on remote networks. 


Gateway A now knows the destination sub-network number is 
128.10.2.0. Gateway A looks in its routing table for an entry 
matching the sub-network number 128.10.2.0. In this particular 
case it finds that the destination sub-network can be reached via 
physical port 2, and it passes the frame to that physical interface. 
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Subnet Mask Procedure 


Port 2’s ARP Table 


IP Hardware 
Address Address 
128.10.2.1 080020340894 


Subnet 128.10.2.0 


Hardware Address = 08002001 ABCD 
IP Address = 128.10.2.6 


Workstation A 


At this point the host number is extracted from the Destination IP address 
and Gateway A looks in its port 2 ARP table for the hardware address 
matching 128.10.2.6. If an entry is contained in the table, the information is 
encapsulated into the lower layer frame and sent. If an entry is not found, 
then Gateway A will send an ARP request in an attempt to find the hardware 
address assigned to 128.10.2.6. 


Network 
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IP Fragmentation and Reassembly 


Final 


Fragments 


Maximum If > 1024B MTU = MTU = Destination 
Transfer 1024B 1518B Reassembles 
Unit = 1518B (X.25) (Ethernet) 
(Ethernet) 


¢ Each fragment looks the same except for the “More 
Fragments” Flag. 


¢ If any Fragments are lost, other Fragments are eventually 
discarded. 


¢ Fragments do not necessarily arrive in order. 


Network 
General 
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IP Fragmentation Exercise 
(IPFRAGI.ENC Trace) 


15.4.130.124 | 111.0.0.3 UDP Length » 8316; more fragments; frag. offset = 0 
15.1.130,124 | 111.0.0.3 IP continuation; more fragments; frag. offset = 1248 
15.1,130.124 | 111.0.0.3 IP continuation; more fragments, frag. offset » 2496 


15.1,130,124 | 111.0.0.3 IP continuation, more fragments; frag. offset = 3744 

15.1.130.124 | 111.0.0.3 IP continuation; more fragments; frag. offset = 4992 

15.1.130.124 | 111.0.0.3 IP continuation; more fragments; frag. offset = 6240 

15,1,130.124 | 341.0.0.3 IP continuation; last fragments; frag. offset = 7488 
828 bytes of data 


Note: Length in first packet (8316) matches (1248 x 6) + 828 


(a. 
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IP Type Of Service - Precedence Field 


= Normal Delivery 


High Importance Information 


¢ First 3 bits of the Type of Service field specify precedence ; 


e Anupper layer protocol at the sender specifies the importance of 
the datagram 


e Allows control information to have precedence over data, for 
example a congestion control mechanism could use this and not 
be affected by the congestion on the network 


¢ Ignored by most hosts and gateways but may be used in the future 


Network 
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High Speed Link 


Fault Tolerant Backbone 


h o 
T bit set 


e An upper layer protocol at the sender requests type of 


routing service based on the type of application 
Network 
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IP Options 
(Mostly Used For Testing and Debugging) 


End of Option List 
No Operation 


Security 


Loose Source Routing 
Strict Source Routing 
Record Route 

Stream ID (obsolete) 
Internet Timestamp 


0 
0 
0 
0 
0 
0 
0 
v3 


Class 0 — datagram or network control 
Class 2 — debugging and measurement 


\ 
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An Introduction to TCP/IP Davidson, pg. 26 
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IP Field Descriptions 


The IP Version being implemented. 
a “Internet Header Length”; the length, in 32-bit units, of the IP Header. 


Type of Specifies reliability, precedence, delay, and throughput waramnctets 
Service desired for this Datagram. 


A Datagram number, used to reassemble fragments into a complete 
Identification Datagram. Together with Source Address, Destination Address and 
Protocol, intended to uniquely identify a Datagram. 


“Don’t Fragment” - used for some hosts which can't reassemble. 
“More Fragments” - tells IP that more fragments are coming. 
Not used - the high order bit in this field is not used. 


Total 


Network 
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IP Field Descriptions (cont'a.) 


Indicates the position of the fragment’s data relative to the beginning of 
the data in the original Datagram. 


Tj Specifies the number of seconds the Datagram is allowed to remain in 
ime to the system. Each host and Gateway decrements time to live by one as it 
Live 

processes the header. 


Identifies the ULP that should receive the data portion of the Datagram. 
Analogous to the “Type” Field in an Ethernet Frame. 


Header Contains the Checksum for the IP Header. The One’s complement of the 
Checksum sum of the One’s complement of each 16-bit word in the Header. 


Source The Internet (IP) Address of the Datagram’s originator. 
Address 
Network 
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IP Field Descriptions (cont'd) 
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Optional Information. Permits later versions of the Protocol to include 
new features, experimenters to Test New Code, etc. Officially-defined 
Options Include: Security, Loose/Strict Source Routing, Record Route, 
Stream ID, Timestamp. 


Used to fill out the Internet Header so it ends at a 32-bit boundary. 


Network 
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Common IP Problems 


¢ Routing problems (e.g., inaccurate routing tables) 
e Excessive congestion at internet points, causing timeouts 
e Duplicate network-layer addresses 


e Subnet mask not the same for all the machines in the subnet 


e Disagreement on the broadcast address format, i.e. 128.128.0.0 
vs 128.128.255.255 (UNIX BSD 4.2 and before uses 0s, newer 
versions use Is) 


Network 
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IP Troubleshooting 


¢ Use a protocol analyzer to decode packets for: 
— Nonexistent route addresses 
— Mismatched address formats 
— Duplicate IP addresses 


¢ Segment network if one segment is too busy 
e Check queues at routers to determine whether they are a bottleneck 


e Ensure IP routing tables do not have loops that would defeat 
learning bridges 
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The ZBCAST Exercise 


Objective: Look at the IP destination address in RWHO frames to isolate which 
machines may be using improper addressing 


Hint: UNIX Servers can be configured to send RWHO broadcast frames 
every 60 seconds. The main purpose of RWHO frames is to support UNIX 
machines keeping track of which users are logged onto remote systems. 
Despite the overhead RWHO frames cause on the network, they can be quite 
useful for isolating potential problems on a network. 


1. Load the trace file: C\CAPTURE\TC 103\ZBCAST.ENC and press F3 twice. 


2. Set up an Address level filter to only look at traffic that uses IP addressing. Note: this is 
an Address level filter, not a Protocol filter. 


3. Under Display options set your Name width to 17 so you can see full IP addresses. 


4. What IP Class addresses do you see on this network? 


Network 
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The ZBCAST exercise (continued) 


5. What network numbers do you see on this network? 


Why might there be multiple IP networks associated with one Ethernet network? 


6. Isolate which machines are still using Os broadcast form. Write down the IP address 
and Server name of any machines using the Os broadcast form. (Hint: let the Expert 
window help you!) 


7. Isolate which machines are sending their RWHO frames to addresses that are 
technically reserved by the Network Information Center. Write down the IP address 
and Server name of any machines using reserved addresses in the IP destination 
field. (Hint: You’ ll find a list of reserved numbers on the bottom of page 5 in the IP 
section of this manual.) 


Network 
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ARP/RARP 


O) 
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How ARP Works 


Station A 


Station B 


e Each station maintains an Address Resolution Cache of 
recently acquired Physical/Internet Address Mappings. 


O 
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The Need for Dynamic Address Binding 


Station A Station B 


e Address Resolution Protocol (ARP) solves 
this problem 


e Allows a station to discover the Physical 

Address of another station on the net, 
Hardware Address H jy provided the target station’s logical net 
address is known. 


Network 
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ARP/RARP Message Encapsulation 


ARP/RARP Message Treated As Frame Data 
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ARP/RARP Frame Format 
(Ethernet-Internet) 
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ARP Field Descriptions 


Hardware A code designating the Physical Layer Protocol being used (Ethernet = 1; 
IEEE 802 = 6) 


Protocol A code designating the Network Layer Protocol being used (IP =0800H) 


HLEN The length of the Physical Hardware Address (2B for 16-bit IEEE 802 
address; 6 for 48-Bit IEEE 802 Networks and Ethernet) 


PLEN The length of the Network Layer Address 


Operation 1 = ARP Request; 2 = ARP Reply; 3 = RARP Request; 4 = RARP Reply 
Variable Sender HA The Sender's Physical Hardware Address 
Variable Sender IA The Sender's Network Layer Address 
Variable Target HA The Target's Physical Hardware Address 


Variable Target IA The Target's Network Layer Address 
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ARP Exercise 
Load the trace file ARP.ENC (65 packets) and press F3 twice. 


1. What hardware address corresponds to protocol address 129.84.25.13? 


2. What hardware address corresponds to protocol address 129.84.25.27? 


3. Why do you think Exceln 201982 never receives a response to its ARP 
requests for 129.84.25.255? 
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How Does a Diskless Station 
Determine Its Internet Address? 


RARP Server Diskless Station 


Who am I? 


Address B 


¢ RARP is Reverse Address Resolution Protocol. 


e Server must have a mapping of hardware address to IP 
address for all potential clients. 


~ 
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RARP Operation 


Station A 


Station B 


¢ If Broadcast from Station A repeated within a 
short span of time, the RARP Backup Server 
responds. 


¢ Multiple RARP Servers create greater 
likelihood requests will be satisfied, but 
increase chance of collisions 
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RARP Exercise 


Objective: Determine why a diskless station (SUN 0115E8) can’t 
boot. 


Procedure: Load the trace file NOBOOT.ENC and press F3 twice. 


1. How many different hosts respond to the RARP request from Sun 0115E8? 


2. How long does it take for the first response to come in? (measured from 
the first request) 


3. Was the primary RARP server running? 


4. What is Sun 0115E8’s protocol address? 


Network 
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RARP Exercise (continued) 


5. What happens in packets 39 and 44? 


6. How can this problem be fixed? 
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SNAP 


e “Sub-Network Access Protocol’ 
e RFC 1042 


e Provides a standard way of encapsulating IP datagrams 
and ARP requests and replies on IEEE 802 networks. 


oi 


SNAP 


IEEE 802.2 
TEEE | IEEE | IEEE 
802.3 | 802.4 | 802.5 

Network 
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SNAP Header Format 


Fontes Protocol ID or 
802.3/4/5 Header ORG Code 


EtherT ype 
(IP = 0800; ARP = 0806; 
RARP = 8035) 


ee 
LLC Sublayer SNAP 


(3 for SNAP) 


(0 for IP on SNAP) 


MAC Sublayer 
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The Trouble With IP Routing 


18.0.0.6 24.0.0.4 
Host : Host 


a 18.0.0.0 15.0.0.0 13.0.0.0 24.0.0.0 


“To 24.0.0.4” “To Network “To Network / 
isnon ooo oe 


Q: How can you tell host A the bad news? 


A: ICMP! 


©) 
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ICMP Message Format 


IP Header 
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ICMP Messages 


. Test destination 
reachability and status 


Echo Request 


Echo Reply 


. Report unreachable 
destinations 


Destination Unreachable 


. Flow control Source Quench 


Redirect 


. Route change 


. Detect circular or 


: Time Exceeded 
excessively long routes 


. Incorrect Header Parameter Problem 


. Clock synchronization and 


Timestamp Request 
transit time estimation 


Timestamp Reply 


. Obtain a network address Information Request 


Information Reply 
Address Mask Request 


9. Obtain a subnet mask Address Mask Reply 


Network 
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@ 
ICMP Echo Request/Reply Message 


“Field Nam 


16 Checksum 16-Bit One’s Complement of the One’s Complement Sum ee the 
ICMP Message. 


Identifier 


Echo ——““Nntne- = “8”; Echo Reply = “0” 


Used by client to match requests to replies. 


Sequence 
Number 
Variable Optional Data to be returned to the client. An Echo Reply must return the 
Data same data as was received in the request. 
Network 
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O—j\ 


old fete Fi = , - ield Description 


“3 

“0” Net Unreachable 

bi lia Host Unreachable 

sed Protocol Unreachable 

“3 Port Unreachable 

a Fragmentation needed and “Don’t Fragment” Bit Set 
“5? Source Route Failed 


Checksim 16-Bit One’s Complement of the One’s Complement sum of the 
ICMP Messages. 

Network 
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Internet 
Header + 
first 64 bits 
of Datagram 


Used by the Host to match the message to the appropriate process. 
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© 
ICMP Time Exceeded Message 


ield Name 


8 Code Time to Live Exceeded in Transit 
Fragment Reassembly Time Exceeded 
16-Bit One’s Complement of the One’s Complement sum of the 


ICMP Messages. 


Variable Internet 
Header + first Used by the Host to match the message to the appropriate process. 
64 bits of original 
Datagram 
@ 
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ICMP Parameter Problem Message 


Swiffer Uninensity 


al | De 
“0” = Pointer indicates the error 


16-Bit One’s Complement of the One’s Complement sum of the 
ICMP Messages. 


Identifies the Byte where the problem was detected. 


Not Used 


Variable 


Header + first Used by the Host to match the message to the appropriate process. 
64 bits of original 


Datagram 


©) 
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€ 
ICMP Source Quench Message 


Checksum 16-Bit One’s Complement of the One’s Complement sum of the 
ICMP Messages. 


Variable Internet Used by the Host to match the message to the appropriate process. 
Header + first 
64 bits of original 
Datagram 
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ICMP Redirect Message 


“5” 


“0” = Redirect Datagrams for the Network 

8 Code “1” = Redirect Datagrams for the Host 
“2” = Redirect Datagrams for the Type of Service and the Network 
“3” = Redirect Datagrams for the Type of Service and the Host 


16 Checksum 16-Bit One’s Complement of the One’s Complement sum of the ICMP 
Messages. 


32 Gateway Address of the Gateway to which traffic for the Network specified in the 
Internet Internet Destination Network Field of the original Datagram should be 
Address sent. 
Variable Internet Used by the Host to match the message to the appropriate process. 
Header + 
first 64 bits 
of Datagram 
@ 
Network 
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ICMP Timestamp Request/Reply Message 


8 Type P30 = For Tsneatati Request 
“14” = For Timestamp Reply 


ie res 
16 Checksum 16-Bit One’s Complement of the One’s Complement sum of the ICMP 
Messages. 


16 Identifier 


Aids in matching Requests and Replies. 


Sequence 
Number 


32 Originate The time the sender last touched the message before sending it. 
Timestamp 
Receive The time the echoer first touched the message on receipt. 
Timestamp 
The time the echoer last touched the message on sending it. 


Network 
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ICMP Information Request/Reply Message ~ 


= For Information Request as 
= For Information Reply 
= 16-Bit One’s Complement of the One’s Complement sum of the 
ICMP Messages. 


16 Identifier 

Aids in matching requests to replies. 

16 Sequence ys 
Number 


Network 
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ICMP Subnet Mask Message 


For Address Mask Request 
For Address Mask Reply 


Checksum 16-Bit One’s Complement of the One's Complement sum of the 
ICMP Messages. 


Identifier 


Aids in matching requests to replies. 
Sequence 


Network’s Subnet Address Mask. 


1 - Actually specified in RFC 950 “Internet Standard Subnetting Procedure” 
as an addition to the ICMP Spec (RFC 792). 
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Internet Gateways 


Network 
General 
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Internet Gateways 


Administered by : : | 
“Internet Network Core Proprietary Protocol Core 


Operations Gateway (SPREAD) Gateway 
Center” (INOC) 


Administered 
Privately 


Autonomous 


Autonomous 
System 


System 


* An “Autonomous System” is a group of networks and gateways controlled by a single administrative authority. 
* Gateways within the same Autonomous System are “Interior” gateways. 

¢ Many Interior Gateway Protocols (IGPs) exist, including “RIP” and “OSPF.” 

* Gateways in different Autonomous Systems use Exterior Gateway Protocol (EGP) to learn each other’s routes. 
* “Core” gateways form an Autonomous System, and provide authoritative routes for all possible destinations. 


Network 
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Routing Algorithms 


e Static (Nonadaptive) Routing - routing not based on real-time 
information. Routing algorithms calculated beforehand, offline. 


¢ Dynamic (Adaptive) Routing - routing based on real-time 
analysis of network. 
— Vector Distance Algorithms such as Routing Information Protocol (RIP) and 
Cisco’s Inter-Gateway Routing Protocol. 


— Link State Protocols such as Open Shortest Path First (OSPF) and ISO’s 
Intermediate System to Intermediate System (IS-IS) 
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Vector Distance Protocols 


A router starts with information about routes to which it is directly attached. 
Each router periodically broadcasts on its own network segment the routes that it 
can reach. Every router learns how to get to the other routes. 


net 2 net 3 


net 1 


Router A broadcasts its table ——————— > 


net distance 
1 1 
a , 
2 1 Router B learns that it can get to net 2 also and 
updates its table. Broadcasts its table 
net distance 
Router A updates its table. 1 1 
Broadcasts its table —<$_»> 
net distance 4 A 
1 1 2 2 
2 1 
3 2 
Network 
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Link State Protocols 


e Alternative to Vector Distance algorithms. Vector Distance 
algorithms can cause a lot of traffic since every router 
broadcasts its whole routing table. 


¢ In Link State Protocols, a router periodically tests the status 
of its links to neighbor routers, and propagates the link status 
information to all other routers on the internet. 


¢ When link status messages arrive, a router compares the 
information to its map of the internet and if necessary 
recomputes the shortest path to destination networks. 


e Causes less traffic, but the routers have to be smarter. 
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General 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 Internet Gateways - 5 


© Copyright 1990 - 1994 Network General Corporation. All nights reserved. 


Routing Information Protocol (RIP) 


¢ Originally designed for XNS. 


¢ First standard TCP/IP protocol to ensure interoperability between different 
vendors’ routers. 


¢ Unlike IP, is adynamic routing protocol (i.e., can adapt, in real-time, to changing 
network parameters). 


¢ Incorporated into BSD UNIX in the early 1980s; gained widespread acceptance. 
¢ Currently the most widely used interior gateway protocol (IGP) in the internet. 
¢ Well suited for use in small internetworks. 


¢ RFC 1058 


Network 
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RIP Limitations 


¢ Supports a maximum of 16 hops 


¢ Always takes the minimum hop path, even if that is not the 
quickest or most cost-effective way 


¢ Slow “Convergence” (convergence is the agreement, throughout 
an area of the internet, on the relative merit of routing paths) 


¢ Requirement to broadcast entire routing table (via maximum 
512B packets) when neighbor updates are called for 


¢ Vulnerable to routing loops 


Network 
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Slow Convergence and Routing Loops 


Net 1 


G2 Table 


¢ Gateway 1’s connection to Net 2 goes down, so the table entry is removed 
¢ Gateway 2 broadcasts his table, saying he can reach Net 2 

¢ Gateway 1 receives a frame for Net 2 and sends it to Gateway 2 

¢ Gateway 2 sends frame to Gateway 1 - OOPS! 
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Open Shortest Path First (OSPF) 
RFC 1247 


¢ Routing based on: 
— Least volume of traffic (Supports load balancing) 
— Least delay 
— Least dollar cost 
— Greatest bandwidth 
— IP’s type of service options 
¢ Routing updates communicated through “Router Links 
Advertisement” packets 


¢ Routers compute the Shortest-Path Tree to develop a 
topological database of routes to destination networks. 
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OSPF Features 


¢ Supports flexible configuration of subnets. Two different 
subnets of the same IP network number may have different 
subnet masks. Unlike RIP, routes advertised by OSPF include the 
mask. 


¢ Supports networks being grouped into areas. The topology of the 
area is hidden from the rest of the Autonomous System. Reduces 
time to compute Shortest-Path Tree, speeds convergence and 
reduces possibility of routing loops. Area Border Routers attach 
to multiple areas. 


¢ Routing information is authenticated. Only trusted routers can 
participate in routing. A variety of authentication schemes can 
be used. Most implementations these days just use a simple 


password. ; 
Network 
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OSPF Path Cost 


¢ The network administrator assigns a path cost on each router 
interface. A cost per IP Type of Service may be assigned. 


¢ Path cost can be based on bandwidth using the following 


equation: 

100,000,000 / bandwidth of the underlying network 
Bandwidth Path Cost 
100,000,000 (100 Mbps Ethernet) 1 
16,000,000 (16 Mbps Token Ring) 6 
10,000,000 (Ethernet) 10 
4,000,000 (4 Mbps Token Ring) ps 
1,544,000 (T1) 65 
64,000 (DS 0) 1562 
9600 (Serial) 10,417 
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What Does TCP Do? 


¢ Reliable Internetwork Packet Delivery 


e Efficient Flow Control 


Multiplexing (Conversations and Connections) 


e Error Control (Checksum) 


Network 
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TCP Functionality: Basics 


e §=6Virtual Circuit a ie o 


¢ Correct order delivery to the application 


Host A Host B 


¢ Full duplex operation 


¢ Unstructured stream of Bytes 


Host A Host B 


ht 
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TCP Header 


Sequence Number 
Acknowledgement Number 
Data UJA] PIRES 
Reserved |RIK]S|S Window 
Offset GIGIHIT 


Options ( if created) 


An Introduction to TCP/IP Davidson, pg. 51 
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- TCP Fields 


oe / a + i i  - + =. 
a An aiken identifying a process in the enttne Host. == 
(0 - 2 to the power of 32 minus 1). 
- 2 to the power of 32 minus 1). 
: 
Os 
: 
a. Network 
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| ACK Field is relevant. 


TCP Fields (cont’d.) 


Receiving TCP should immediately deliver segment to receiving ULP. 


Reset connection due to delayed duplicates, host crashes, etc. 


Connection request. 
Connection termination - sender won’t transmit any more data. 
The number of bytes that the sender is willing to accept. 


The 16-bit One’s complement of the One’s complement sum of all 16- 
bit words in the Header, Pseudo Header and Text. 


A position offset from the sequence number which points to the last 
byte of urgent data. Only interpreted when URG Control Flag Set. 


Reserved for misc. things, such as maximum segment size. 


Network 
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What Is a Port? 


Port 


j t — Information 
ti, Retrieves 


Information 


A “Drop Point” 


“Portal” - “A Doorway, Gate, or Entrance” 
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TCP Connection Establishment = 
The 3-Way Handshake - 

Station A Network Station B 
Messages si 


Send SYN (SEQ = X) @ 

Max Segment Size = A ~ 
Receive SYN 
Send SYN (SEQ = Y), ACK (X¥ +1) am 


@ Max Segment Size = B 


Receive SYN, ACK Segment 


Send ACK (Y + 1) i. Oe cy 
Receive ACK Segment 


Network oo, 
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TCP Functionality: Reliable Delivery 


¢ Positive Acknowledgement with Retransmission (PAR) 


Host A ; Host B 


DATA 
a eee 


¢ Sequence Numbers 
Host A ae Host B 
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TCP Functionality: Efficient Flow Control 
Sliding Windows 


e Simple PAR mechanisms waste bandwidth - sender must 
receive ACK prior to sending more data. 


¢ Sliding window protocols allow multiple transmissions 
without an ACK. 


e Sliding windows provide flow control. 


e Each station has a send and a receive window. 
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siete - 
Sliding Window Example 


Highest byte which 
Lowest byte Next byte can be sent before 
not yet ACK’d to send another ACK is necessary 


Window slides this way 
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Dual Windows In A 
+i Full Duplex Environment = 


123 4[567.8 9]10 A's SEQ # = 5 (first byte of frame) 1ofo8]7654321 
Size of data frame from A = 5 bytes 
A’s ACK # = 8 (next byte expected from B) 
A’s window size = 2 (max bytes A can receive from B) 


B’s SEQ # = 8 (first byte of frame) 

Size of data frame from B = 2 bytes 

B’s ACK # = 10 (next byte expected from A) 

B’s window size = 5 (max bytes B can receive from A) 


10[9 87654321 123 4[5 678 4 10 
Receive Receive 
Window Window 

Network 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 TCP - 12 m| General 


$ . ff U . ot ma © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


TCP Exercise 


Load the trace file 3WAYWIND.ENC and press F3 twice. 


1. 


Use the ‘Manage names’ function to change the name 192.42.252.20 to Sun_Atlantis and 
192.42.252.1 to Sun_Jupiter. Save names. 


Where is the 3-way handshake? 


What is 192.42.252.20 (Sun_Atlantis’) maximum segment size? 


What byte number will 192.42.252.1 (Sun_Jupiter) send first? 
What byte number will 192.42.252.20 (Sun_Atlantis’) send first? 


What is 192.42.252.1 (Sun_Jupiter’s) initial window size? 
What is 192.42.252.20 (Sun_Atlantis’) initial window size? 


In packet 5, what range of bytes is 192.42.252.1 (Sun_Jupiter’s) “Send window?” 


In packet 17, what range of bytes is 192.42.252.1 (Sun_Jupiter’s) “Receive window?” 
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TCP Exercise (Cont'd) 
Trace File: 3WAYWIND.ENC 


8. What distinguishes packets 4 and 10 from the others? 


9. How long does it take the 3-way handshake to complete? 


10. What is the throughput, in bytes/second of the data transfer shown in packets 5-20? 


Network 
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1541568000 
46336001 


46336001 
46337025 
46338049 
46339073 
1541568001 


womriIInNnNt WN 


= 
- O 


1541568001 
46340097 
46341121 
46342145 
46343169 
1541568001 
46344193 
46345217 
46346241 
46347265 
1541568001 


NN KK RK RK Re RE ES eR 
KF OO PAAKDUNA WN 


46336001 
1541568001 


Trace File: 3WAYWIND.ENC 


46336000 
1541568000 
4633 6001-463 40096 


<Different Circuit - FTP Control> 


1541568001 
1541568001 
1541568001 
1541568001 
46340097 


24576 
24576 
24576 
24576 
0 


4633 6001-463 40096 
4633 6001-463 40096 
4633 6001-463 40096 
4633 6001-463 40096 
154156800 1-1541592576 


<Different Circuit - FTP Control> 


46340097 

1541568001 
1541568001 
1541568001 
1541568001 
46344193 

154156800 1 
1541568001 
1541568001 
1541568001 
46348289 


154156800 1-1541592576 
46340097-463 44192 
46340097-463 44192 
46340097-463 44192 
46340097-463 44192 

154156800 1-1541592576 
463441 93-463 48 288 
463441 93-463 48 288 
463441 93-463 48 288 
463441 93-463 48 288 

154156800 1-1541592576 


4633 6001-463 40096 
154156800 1-154 1592576 


14) 
46340097-463 40097 


46340097-463 44 192 
154156800 1-1541592576 
| 
| 
@ 
46344193-463 48 288 
154156800 1-1541592576 
| 


a) 
4634828-4635 2383 
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—— 
Adaptive Retransmission in TCP 


SS ‘ SE ~~ 
SS ‘ [00:00 | Seg ment 84779 ‘ . ~~ 


Alea ACK Segment 84779 i 
SV . s 
SS 


¢ Helps TCP identify network congestion and set 
timeout value for retransmissions appropriately 
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LS EI I 
TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 TCP - 16 General 


© Copyright 1990 - 1994 Network General Corponation. All rights reserved. 


When Data Must Be Delivered 
Right Away... 


Push Urgent Pointer 


Sender Receiver 


Data Delivered 
Immediately Receiving TCP must forward data to application immediately 
(e.g.: Interactive Terminal) (e.g.: CTRL-S, CTRL-Q) 
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Resetting a TCP Connection 


Sender Receiver 


Application TCP TCP Application 


Abnormal 
Condition 


Reset Connection 
Message “RST” Segment 


Reset Connection 
— 
Message 


Network 
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Closing TCP Connections 


Sender Receiver 


Application ar Application 


__“No More Data” 


Message 
“FIN” Segment 


ACK “FIN” Segment 
es 


Inform Application. > 


“FIN” Segment 
‘ Close Connection 
Message ACK “FEN” Segment 


—Close Connection 
Message. 


Network 
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The Effect of Segment Size 
On Performance 


Small Segments Large Segments 


Header over 3x Data: 
therefore, only 1/3 of 
Network Bandwidth 
is being used. 


Too much fragmentation time. 
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oe - 
Common TCP Problems 


e “Silly Window Syndrome” — receiver keeps advertising a small 
window and sender keeps filling it with small packets, which 
utilizes bandwidth poorly 


¢ ‘Delayed Duplicates” — a duplicate packet delivered because the 
sender thought the original never arrived. Can occur as a result of 
the “Write First, ACK Second” problem 


¢ Poor bandwidth utilization due to insufficient buffer space or too 
few large buffers, forcing fragmentation and reassembly 


¢ Transport version incompatibilities 
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TCP Troubleshooting 


e Using a protocol analyzer, decode TCP frames to check for: 
— Acontinuously small receive window 
— Continuous use of small buffers 
— Duplicate packets 

Use of various options not recognized by receiver 

— System crashes which may have made data invalid 


e Contact TCP vendor to check default values and see if other 
options exist 


¢ Read documentation to see whether TCP implementations, 
versions are incompatible 
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UDP/TCP Port Numbers 


FTP Control 
Application 
Layer 


SMTP e@ 25 TELNET@ 23 DOMAIN r 53 


FTP Data 


Transport 
Layer 


ALLLELELLLLLELELLELDLLLLLLLIMLLLTLIMSLLLTTELLLLLLLLLSSSSSISISSSSSSSLSASSESLSSLSLELELLSSSELSLSSELSSSLSSELELSESSSSSSSSISLSSSSELSSSSSSSDSS SS 


Lower 
Layer 
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The Window Troubleshooting Exercise 


Problem: TELNET users report slow response time and 
intermittent hangs. 


Load the trace file C\CAPTURE\TC 103\WINDOW.ENC and press F3 twice. 


1. Set up a Pattern match Display filter to only display packets with an advertised TCP 
window = 0. 


2. Set up an Address level filter to only show frames that use IP addressing. (Note: this 
is an Address level filter, not a protocol filter.) 


3. Onhow many separate circuits do window = 0 situations occur? 
4. What port pairings are involved? 


5. Are they all TELNET (port 23) circuits? 


6. What IP host addresses are involved in the circuits where window=0 situations occur? 


Network 
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The Window Troubleshooting Exercise (cont'd) 


7. On which circuit is the window advertised as 0 the most often? 


8. Oncircuit 18694 — 23, what do you think the user is typing? (i.e. what is the Telnet data?) 


9. What is unique about circuit 30984 — 23? 


10. Turn off your Pattern Match filter for TCP window = 0. Set up a Pattern match Display 
filter to look at only traffic on circuit 30984 — 23. Compare the packets preceding the reset 
packets. What do you notice? 


11. Read the following text from sections 9.2.15.1.2 and 9.2.15.1.3 of the TCP specification. 
Given this text, what is the most likely problem with this circuit? 


C 
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The Window Troubleshooting Exercise (cont'd) 


9,2.15.1.2 When connection is in any non-synchronized state: 

When the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), a reset is sent in 
the following cases: The incoming segment acknowledges something not yet sent (that is, the segment carries an 
unacceptable ACK), or an incoming segment carries security information which does not exactly match that 
designated for the connection. Resets generated in the nonsynchronized states are made acceptable as follows. 

When the incoming segment has as ACK field, the reset segment takes its sequence number from the ACK field 

of the incoming segment; otherwise, the reset segment carries a sequence number equal to zero and acknowledgement 
field set to the sum of the sequence number equal to zero and acknowledgement field set to the sum of the sequence 
number and text length of the incoming segment. The connection remains in the same state. 


9.2.15.1.3 When connection is in any synchronized state: 
If the connection is in a synchronized state (ESTABLISHED, FIN-WAIT1, FIN-WAIT2, CLOSE-WAIT, CLOSING, 


LAST-ACK, TIME-WAIT),any unacceptable segment (such as one with an out-of-window sequence number or an 
unacceptable acknowledgement segment) must elicit only an empty acknowledgement segment containing the current 
send sequence number (SEND_NEXT) and an acknowledgement indicating the next sequence number expected to be 
received (RECV_NEXT). (Note that if the unacceptable segment is an empty ACK segment, replying with an ACK may 
result in a cascade of ACKs. In general, do not ACK an unacceptable empty ACK segment.) The connection remains in 
the same state. [f an incoming segment has security information or a precedence level which does not exactly match 
those designated for the connection, a reset is sent; the connection enters the CLOSED state. The reset segment takes its 
sequence number from the ACK field of the incoming segment. 


Source: MIL-STD-1778, 12 August 1983, pg 89 [ DDN Protocol Handbook pg 1-249] Net ork 
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ee “ 


Minimizing Memory-to-Memory 
Copy Operations 


NIC 


Memory 
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To Minimize Copying... 


1. Ensure transmitted size is a multiple of the hardware page size 
(Easy: adjust segment appropriately prior to transmission.) 


2. Align data on a page boundary 
(Harder: header must be fixed length) 


Page 


Header 


O 
Network 
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: TH : 


¢ LH = Link Header (Ethernet, in this case) 


6 - Byte Destination Address 
6 - Byte Source Address 


2 - Byte Type (1000 - 100FH) <—— 


e Data = Normal Packet Information 

° TH = “Trailer Header” 

¢2B = Normal Ethertype 

¢©2B = Size of Header area (TH + TRLR) 
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“TRLR- 


(indicates TRLR; 1000+ # of 
512-byte pages of data). 


e TRLR = Normal network and transport level protocol headers. 
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Trailer Exercise 


Load the trace file TRAILERS.ENC and press F3 twice. 


1. How many 512 byte data pages are specified by the Ethertype in Packet 1? 


Packet 9? 


2. In packet 1, at what byte offset into the frame does the IP header begin? 


3. In packet 1, at what byte offset into the frame does the data begin? 


Network 
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User Datagram Protocol (UDP) 
Header 


0 78 15 16 23 24 31 


Destination 
Port 


Length Checksum 
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UDP Pseudo Header 


15 16 
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FieldTength Fi Field Description 


Source Address IP Address of the Source 


Destination Address | IP Address of the Destination 
Zero All Zeros 


Protocol The IP Protocol Type Code for UDP (17) 


UDP Length —_| ‘The Length of the UDP Datagram 


Renee Pom (opsiemal) The Port Number of the Sending Process 
Destination Port 
Length 


Checksum 


The Port Number of the Destination Process 
The Length, in bytes, of the entire User Datagram, including Header and Data 


The 16-bit One's complement of the One's complement sum of the Pseudo- 
Header, Header, Data and any padding necessary to make a 16-Bit multiple 
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TELNET 
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The TELNET Model 


Terminal or Terminal or 
Process Process 


e TELNET provides “...a fairly general, bi-directional, 8-bit byte 
oriented communications facility.” 


¢ A Network Virtual Terminal “...is an imaginary device which 
provides a standard, network-wide, intermediate representation 
of a canonical (basic) terminal.” 


(MIL-STD 1782) 
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The Network Virtual Terminal 


Network Virtual Terminal 


Outgoing Incoming 
Data Data 


L 
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2 
Important TELNET Processes 


Host Process 


Server TELNET 


TCP/IP 


Network Rae rface 


Network Virtual Terminal Host Terminal-Oriented Process 


NN 
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Binary Transmission 856 
Echo 857 
Reconnection * 
Suppress Go Ahead 858 
Approx Message Size Negotiation * 
Status 859 
Timing Mark 860 
Remote Controlled Trans and Echo 726 
Output Line Width * 
Output Page Size * 
Output Carriage-Retum Disposition 652 
Output Horizontal Tab Stops 653 
Output Horizontal Tab disposition 654 
Output Formfeed Disposition 655 
Output Vertical Tabstops 656 
Output Vertical Disposition 657 
Output Linefeed Disposition 658 
Extended ASCII 698 
Logout 727 
Byte Macro 732 
Data Entry Terminal 735 
SUPDUP 736,734 
SUPDUP Output 749 
Send Location 7719 
Terminal Type 930 
End of Record 885 
TACACS User Identification 927 
Output Marking 933 
Terminal Location Number 947 


Extended-Options-List 


861 
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Assigned TELNET Options 
Option ID Name REC# Category 


(0) 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 


16 


— 


WWWNHWWWWNHNN WN KE RP RR Re Re RP RP EP NWNN WHEN 


w 


Categories: 


1 = changes, enhances, or refines 
characteristics of the Network 
Virtual Terminal 


2 = changes the transfer protocol 


3 = allows other information not 
part of the user data or transfer 
protocol to be defined and 
passed over the connection 


* = written before current 
RFC format was in use 


NN 
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TELN ET st ncn ei ininct Protocol 


Neg tiation R Result 


~ | Sender wants to orale the < Cheer agrees - option is 
option enabled at sender side 


Sender wants to enable the Receiver disagrees - option is 
option not enabled at sender side 


Sender wants receiver to Receiver agrees - option is 
| enable the option enabled at receiver side 


Sender wants receiver to Receiver disagrees - option is 
: enable the option not enabled at sender side. 


Sender wants receiver to Receiver agrees - option is 


Hy 


disable the option disabled at receiver side 


WON’T | Sender wants to disable the Receiver agrees - option is 
option disabled at sender side 


Table 6.4 Stallings, 1988, pg. 159 Network 
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—— 
TELNET Option Negotiation : 
Rules 


1. You can always say “No” to someone who wants to dance. 
(“Thou may always reject an ‘Enable’ Request’ ) 


2. If someone doesn't want to dance with you anymore, 
accept it graciously. 
(“Thou must always accept a ‘Disable’ Request” ) 


3. Don’t start dancing until you’ve heard whether your 
partner wants to. 
(“Options are never enabled until negotiation is complete” ) 


4. Don’t ask someone to dance if they’re already dancing. 
(“Never respond to or initiate a request for something which is 


” 
already true”’ ) Network 
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© 
The TELNET Echo Option 


Keyboard Terminal Handler Local User Process 
Signals Echo 
(Default) 
TELNET User TELNET Server 
Remote 
Echo 
| (Optional) 
Network 
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—————————— 2 
A TELNET Echo Example 


User Server Host 
‘ TELNET TELNET Process 
re 
sd Nate 


"8 


“pe 
e -—___________[ Pp}? ] 
“RETURN 
<CR, L 
“TOP<RETURN>” ——3 
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TELNET Commands 


Command Sequence: <I[AC> <COMMAND CODE> <OPTION CODE> 
(Regular Negotiation) 


Meni 


Command 


SE 
NOP 
Data Mark 


End Subnegotiation 


No Operation 


The Data Stream portion of a Synch. Should always be 
accompanied by a TCP Urgent ‘Notification 


NVT Character “BRK” 
“Tp” 
“AQ” 
“AYT” 
“EC! 
“BL” 
“GA” 
Begin Subnegotiation 


Break 
Interrupt Process 
Abort Output 
Are You There 
Erase Character 


Erase Line 
Go Ahead 
SB 
"will" 
Won't 
Do 
Don't 


e Previous Discussion 


Interpret as command 
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Supporting More Complex Terminals: 


Subnegotiation 


A Forms Mode Application 


+ Define Form Structure 


Define Field Attributes 


Map User Input To Identifier 
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TELNET Exercise 


Load the trace file TELNET1.ENC and press F3 twice. 


1. What happens in packets 1-3 of this trace? 
2. What option negotiation inefficiencies can you find? 
3. What is the user’s password? 


4, What information does the “ACK” in packet 58 acknowledge? 


5. Most keystrokes in TELNET produce 3 packets. Which packet takes less time 
after the preceding one, the echo or the following acknowledgement? 


Network 
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TELNETI1 Trace 


076A03 07FD89 SYN (Client Port = 2921; Server Port = 23) 

07FD89 076A03 } SYN ACK 

076A03 07FD89 ACK (Conclusion of 3-way handshake) 

076A03 07FD89 Client says “Do suppress go-ahead” (Push) 
“Will terminal type” 

07FD89 076A03 Server ACKs 

07FD89 076A03 Server says: “Do terminal type” (Push) 

076A03 07FD89 Client ACKs 

07FD89 076A03 Server says: “Will suppress go-ahead” 

“SB“ 


076A03 O7FD89 j; Clients says: “SB” (Push) 
07FD89 076A03 Server says: “Will Echo” (Push) 
“Do Echo” 
076A03 07FD89 Client says:: “Do Echo” “Won’t Echo” (Push) 
07FD89 076A03 jj Server says: “Don’t Echo” (Push) 
076A03 07FD89 Client ACKs 
07FD89 076A03 Server sends “Login” (Push) 


Network 
General 
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. Uniner “9 0™ © 
on EE ——————— ee 2 ea, 
TELNET1 Trace (cont’d) 
Packet ee 
| Number) | oe 

15 076A03 
16 076A03 Client user types “D” (Push) 
17 07FD89 Server Echos “D” (Push) 
18 076A03 | Client ACKs 

19-21 Client User types “E”; Server Echos; Client ACKs (Push) 

22-24 Client User Types ““M”; Server Echos; Client ACKs (Push) 

25-27 Client User types “O”; Server Echos; Client ACKs (Push) 
28 076A03 {| O7FD89 Client sends <OD> <00> (Carriage Return - Null) 
29 O7FD89 } 076A03 Server sends <OD> <O0A> (Carriage Return - Line Feed) 
30 076A03 07FD89 Client ACKs 
3] 07FD89 076A03 Server sends “Password” (Push) 
32 076A03 } O7FD89 Client ACKs 
33 076A03 07FD89 Client sends “C” (Push) 
34 07FD89 076A03 Server Acks 
35 076A03 | O7FD89 Client sends “R” (Push) 
36 07FD89 076A03 Server ACKs 
37 076A03 07FD89 Client sends “A” (Push) 


38 07FD89 076A 03 Server Acks 


Network 
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TELNETI1 Trace (cont'd) 


076A03 07FD89 Client sends “Z” (Push 
07FD89 076A03 Server ACKs 
076A03 07FD89 Client sends ““Y” (Push) 

07FD89 076A03 Server ACKs 

076A03 07FD89 Client sends “1” (Push) 

07FD89 076A03 Server ACKs 

076A03 07FD89 Client sends ““<OD> <00>” (Push) 
07FD89 076A03 Server sends “<0D> <0A>” (Push) 
076A03 § O7FD89 Client ACKs 

07FD89 076A03 Server says “No directory. . .” (Push) 
076A03 07FD89 Client ACKs 

07FD89 076A03 Server sends “Last login. . .” (Push) 
076A03 07FD89 Client ACKs 

07FD89 076A03 Server says: “Ngc%” (Push) 
076A03 07FD89 Client ACKs 

076A03 07FD89 Client says: “d’” (Push) 

07FD89 076A03 Server Echos: “d’” (Push) 

076A03 07FD89 Client says: “i” (Push) 

07FD89 076A03 Server Echos: “i” (Push) 

076A03 07FD89 Client ACKs 

076A03 07FD89 Client says: “r” (Push) 

O7FD89 ;} 076A03 Server Echos: “‘r’” (Push) 
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61 076A03 O7FD89 {| Client ACK 
62 076A03 O7FD89 { Client sends <OD><00> (Push) 
63 07FD89 076A03 { Server sends <OD> <0A> (Push) 
64 076A03 O7FD89 | Client ACKs 
65 07FD89 076A03 Server sends “DIR:” (Push) 
66 076A03 O7FD89 { Client ACKs 
67 O7FD89 { 076A03 {| __ Server indicates “Command not found” 
68 076A03 } O7FD89 | Client ACKs 
69-75 | Server sends “LS”; Client ACKs each packet 
76-79 | Server sends directory info; client ACKs each packet 
80-94 | Client sends “Quit” 
95-96 Server indicates “Command not found”; client ACKs 
97-109 | Client sends “Exit” 
110-111 | Server sends “Logout” message; Client ACKs 
112-115 | Connection termination 
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TELNET Exercise #2 


Load the trace file SNMP.ENC and press F3. 


1. Press Enter on the Connections Diagnosis. What is the diagnosis? 
2. Press F2 to Filter and Display data for this connection. 
3. What command was the user trying to type? 


4. How would you characterize the TELNET performance from the user’s point of 
view? 


5. What are some possible causes for the performance the user is experiencing? 
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130,128.1.10 10.2.0.10 Client sends “‘r” 

130.128.1.101 10.2.0.107 Client sends “rm” 

130.128.1.101 10.2.0.107 Client sends “rm<space>” 
130.128.1.101 10.2.0.107 Client sends “rm d” 

130.128.1.101 10.2.0.107 Client sends “rm de” 
130.128.1.101 10.2.0.107 Client sends “rm dea” 

10.2.0.107 130,128.1.101 Server ACKs and echos “m ” 
10.2.0.107 130.128.1.101 Server ACKs and echos “d” 
130.128.1.101 10.2.0.107 Clients sends “ead” 

10.2.0.107 130,128.1.101 Server ACKs partial data 
10.2.0.107 130,.128.1.101 Server ACKs partial data and echos “ea” 
130.128.1.101 10.2.0.107 Client sends “d.” 

10.2.0.107 130.128.1.101 Server ACKS and echos “‘d” 
130.128.1.101 10.2.0.107 Client sends “‘.1” 

130.128.1.101 10.2.0.107 Client sends “le” 

130,128.1.101 10.2.0.107 Client sends “let” 

10.2.0.107 130.128.1.101 Server ACKS and echos “rm dead” 
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FTP/TFTP 
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General 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 


Men Uniuenaiteg™ © Copyright 1990 - 1994 Network General Corpomtion. All rights reserved. 
FTP MODEL 


Server 
Control 
Process 


User 
Control 
Process 


FTP Commands/Replies 
Server Port = 21 


Server 
Data Transfer 
Process 


User 
Data Transfer 
Process 


Data Connection 


Server Port = 20 


Server Client 


© 
Network 
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Options for Resolving Data Representation 
and Storage Differences 


¢ Provide support for every Data and File Type. 


(Specification too big and not stable) 


¢ Convert to a Single Network Virtual File Type. 


(Too many conversion modules required) 


- Assume files share a few basic properties, and support those. 
(FTP Does This!) 
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FTP Data Type 


ASCII - Default for Text Files 


EBCDIC - Used for IBM Text Files 


8 8 8 


IMAGE - Used for exchanges between machines of the same type. 


».4 x 


Network 
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FTP File Structures 


¢ File — No internal structure; file is a continuous sequence of bytes. 


| | || er = is ‘ mM 


¢ Record — File made up of sequential records. 


Cit 
aan 


Cit] 


¢ Page — File made up of independent, indexed pages. 


O 
Network 
General 
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FTP Transmission Modes 


« Stream 
— Data transmitted as a stream of bytes. 
— Record structures allowed. 


¢ Block 
— Data transmitted as a series of data blocks 
preceded by header bytes. 


¢ Compressed 
— Filler and replicated data are compressed. 


Network 
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FTP Commands 


_ Function’ 


Identifies the User. 

Allows User to state password. 

Allows User to state account. 

Terminates a User, resets all parameters. 

Logs a User out. 

Allows User to specify a Host/Port combination. 


Requests the Server Data Transfer Process to “Listen” for a connection 
rather than initiate one upon receipt of a Transfer Command. 


Specifies Data Representation Type (ASCII, EBCDIC, IMAGE, LOCAL). 


Specifies File Structure (File, Record, Page). 


Specifies Data Transfer Mode (Stream, Block, Compressed). 
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FTP Commands (coni’a.) 


Command) = Function” 


Causes the Server Data Transfer Process to transfer a copy of the file specified 
to the User Data Transfer Process at the other end of the connection. 


Causes the Server Data Transfer Process to accept and store the specified file. 
If file already exists, new one is substituted. 


Causes the Server Data Transfer Process to accept and store the specified file. 
If file already exists, new one is appended. 


Reserves storage space for a file transfer operation. 

Restarts a file transfer at an indicated spot. 

Specifies a file to be renamed. 

Specifies a new pathname of the file specified in the “RNFR” command. 


Tells the Server to abort the previous FTP service command and any 
associated data transfer. 


Causes a specified file to be deleted at the server. 
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are 7. 


FTP Commands (cont'd.) 


_ Command 


Allows User to change working directory. 


Causes a list (either a directory listing or file information) to be sent from the 
Server to the passive Data Transfer Process. 


Causes a directory listing to be sent from Server to User. 
Used by the Server to provide services specific to its system. 


Causes a status response to be sent over the command connection. Allows a 
Server to inform a User of operation status. 


Causes the Server to send “Help” information over the command connection. 


Specifies no action. Server must send an o.k. reply. 
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— ————e 
FTP Replies 


FTP User FTP Server 


Command 


X: Denotes whether response is good, bad or incomplete. 
Y: Specifies type of reply. 


Z: Provides finer gradation of meaning to “Y” types. 
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User 


User Specifies Account se ; 
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Sample FTP Transfer 


User Starts FTP 


Name and Password 


User Specifies Filename 
and Options 


User Quits FTP 


Client Server 


User FTP Establishes 
Control Connection 


Server Replies FTP 
Service Available 


| 


Client Sends Account 
Information to Server 


Server ACKs 


Client sends information 
to Server 


Data Processes 
Created 


Server 
Sends Data 


Client ACKs 
Each Segment 


Server 
Dav 
ire 
Data Processes rOCESS 
Closed 


Control Processes 
Closed 


SSE 
——————— i 
—————_—— 
Server ACKs ——_——_— 
a 
a 
— 


Server 
——— er aral 
VTOCUSS 
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FTP Reply Codes 


Numeric Order List of Reply Code: 


110 Restart marker reply. 


In this case, the text is exact and not left to the particular 

implementation; it must be read: MARK yyyy = mmmm. Where 
yyyy is User-process data stream marker, and mmmm server’s 
equivalent marker (note the spaces between markers and “=” ). 


120 Service ready in nnn minutes. 
125 Dataconnection already open; transfer starting. 
150 File status okay; about to open data connection. 
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200 
202 
211 
212 
213 
214 


215 
220 
221 
225 
226 
227 
230 
250 
257 
331 
332 
350 
421 
425 
426 
450 
451 
452 
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FTP Reply Codes (cont'd) 


Command okay. 

Command not implemented, superfluous at this site. 

System status, or system help ready. 

Directory status. 

File status. 

Help message. On how to use the server or the meaning of a particular non-standard command. 
This reply is useful only to the human user. 

NAME system type. Where NAME is an official system name from the list in the Assigned Numbers document. 
Service ready for new user. 

Service closing control connection. Logged out if appropriate. 

Data connection open; no transfer in progress. 

Closing data connection. Requested file action successful (for example, file transfer or file abort). 
Entering Passive Mode (hl, h2, h3, h4, pl, p2). 

User logged in, proceed. 

Requested file action okay, need password. 

“PATHNAME” created. 

User name okay, need password. 

Need account for login. 

Requested file action pending further information. 

Service not available, closing control connection. This may be a reply to any command if the service knows it must be shut down. 
Can’t open data connection. 

Connection closed; transfer aborted. 

Requested file action not taken. File unavailable (e.g., file busy). 

Requested action aborted: local error in processing. 

Requested action not taken. Insufficient storage space in system. 
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FTP Reply Codes (cont'd) 


500 Syntax error, command unrecognized. 
This may include errors such as command line too long. 
501 Syntax error in parameters or arguments. 
502 Command not implemented. 
503 Bad sequence of commands. 
504 Command not implemented for that parameter. 
530 Not logged in. 
532 Need account for storing files. 
550 Requested action not taken. 
File unavailable (e.g., file not found, no access). 
551 Requested action aborted: page type unknown. 
552 Requested file action aborted. 
Exceeded storage allocation (for current directory or dataset). 
553 Requested action not taken. 
File name not allowed. 


RFC 959, October 1985, Postel & Reynolds, DDN Protocol Handbook - Vol.2, pp 2-779-2-781 
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FTP Exercise 


Load the trace file FTP1.ENC and press F3 twice. 


In what packets is the first FTP data circuit established? 


The first FTP control circuit? 


What is strange about packets 22-24? 


Why is the window size sometimes 0 after four 1024B transfers and sometimes 4096? 


How many instances of TCP Connection Close can you find? 


What is the data throughput of the file transfer in B/S, from packets 42-98? 
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FTP1 Trace 


< 


Sender Receiver es Description — 

1 076A03 07FD89 TCP SYN 

> 07FD89 076A03 TCP SYN ACK 3-way handshake for FTP control connection; 

3 076A03 07FD89 TCP ACK initiated by client. Client Port = 2916; Server Poit = 21 

4 07FD89 076A03 ACK P3; Server sends message indicating its FTP server is ready (Push) 
076A03 07FD89 ACK “Server Ready” message 

6 076A03 07FD89 Send User login info to Server 

7 O7FD89 076A03 Server ACKs User login info 

8 O7FD89 076A03 Server sends FTP data indicating password required (Push) 

9 076A03 07FD89 Client ACKs Server request for password 

10 076A03 07FD89 Client sends password “CRAZY 1” (Push) 

07FD89 076A03 Server ACKs and indicates User demo logged in (Push) 

076A03 07FD89 Client ACKs “User logged in” message 

13 076A03 07FD89 Clients issues “Port” command (Push) (Specifies Data Port to be used) 
07FD89 076A03 Server indicates “Port command successful” (Push) 
076A03 07FD89 Client issues “List” command (Push) 
07FD89 076A03 Server ACKs “List”? Command 
07FD89 076A03 TCP SYN; Max-Seg. Size = 1024 Fry P'ulala ceanesiian’ belay Speneds Welliated by 
076A03 07FD89 TCP SYN ACK Server, Client Port = 2917; Server Port = 20 
07FD89 076A03 TCP ACK 
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FTP1 Trace (cont'd) 


Packet 
Number. 


076A03 “Data Connection” (/BIN/LS) message on FTP control circuit (Push) 
07FD89 ACK data connection message 
076A03 “ASCII transfer complete” message on control circuit (Push) (Note: Message 
has not yet been sent) 
076A03 Data (1024B) received on data circuit; window increased to 24KB 
076A03 Data (695B) received on data circuit 
076A03 FIN received on data circuit 
07FD89 Client ACKs data 
076A03 | O7FD89 Duplicate of previous packet, except ID number incremented and window 
back up to 4096B 
076A03 | 07FD89 Duplicate again, except ID number incremented and window back down to 
4066B 
076A03 Duplicate again, except ID number incremented, window returns to 
4096B and FIN 
07FD89 FTP dat circuit ACK 


076A03 | 07FD89 Client issues “Type A” command (Push) 
O7FD89 | 076A03 Server ACKs; indicates “Type set to A” (Push) 
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Packet 
Number: 


076A03 
076A03 
O7FD89 076A03 


076A03 07FD89 
O7FD89 076A03 
07FD89 076A03 
O7FD89 076A03 
O7FD89 076A03 
07FD89 076A03 
07FD89 076A03 
076A03 07FD89 
076A03 07FD89 
076A03 07FD89 
07FD89 076A03 
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076A03 07FD89 


Client ACKs 
Client issues “Port” command (Push) 
Server indicates “Port command successful” (Push) 
Client ACKs 
Client wants to “Retrieve” the /ETC/TERMCAP file (Push) 
Server starts 3-way handshake for FTP data circuit; 
Client Port = 2918; Server Port = 20 
SYN ACK from Client 
ACK from Server 


“Data Connection” (/ETC/TERMCAP) message on FTP control circuit (Push) 


Received 1024B of data 
Received 1024B of data 
Received 1024B of data 
Received 1024B of data 
ACKs; Window = 0(!) 


Window back up to 4096B (message comes from Client control circuit) 


Server ACKs (on data circuit) 
Received 1024B of data 
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FTP 1 Trace (cont’d) 


Sender, Receiver Description 


07FD89 076A03 Received 1024B of data 

07FD89 076A03 Received 1024B of data 

07FD89 076A03 Received 1024B of data 

076A03 07FD89 ACKs; window size = 4096B (!) 

07FD89 076A03 Received 4096B of data 

076A03 07FD89 ACKs; window size = 4096B 

07FD89 076A03 Received 4096 of data 

076A03 07FD89 ACKs; window size = 0 

076A03 07FD89 Window back up to 4096B; message comes from data circuit (??) 


Process continues; window goes to zero roughly every other time. 
076A03 Server indicates ‘“‘ASCII transfer complete” (Push) 


07FD89 Clients ACKs 
076A03 Server sends more data (4096B!) 
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Number 


“You faked me out!”; window = 0 


181 076A03 


182 076A03 “I’m almost all better” (FTP control circuit) 
183 076A03 “T’m all better” (FTP data circuit) 
184-187 07FD89 Received 4096B of data 
188 076A03 “Now I’m really confused!”; window = 0 
189 076A03 “Back to normal” (FTP data circuit) 
190-193 07FD89 Received 4096B of data 
194 076A03 “O.K., I can handle more” 
195-198 07FD89 Received 4096B of data 
199 076A03 “Fine” 


Process continues with receiver having its window 
reduced to “0” once in a while. 
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FTP1 Trace (cont'd) 


Packet 
Number 


“2 Reeciver 


07FD89 076A03 984 bytes of data; FIN 

076A03 07FD89 Client ACKs 

076A03 Client FIN ACKs 
erver ACK 

076A03 Client issues “Port” command (Push) 

07FD89 076A03 Server indicates “Port command successful” (Push) 

076A03 07FD89 Client issues “Store /TMP/TERMCAP” message (Push) 

07FD89 076A03 Server ACKs 

07FD89 076A03 Server opens data connection (SYN); Server Port = 20; Client Port = 2919 

076A03 07FD89 SYN ACK 

07FD89 076A03 ACK 

07FD89 076A03 Data connection ((TMP/TERMCAP) message on FTP control circuit 

076A03 07FD89 Client ACKs and sends 1024B of data 

240-242 076A03 07FD89 Clients sends another 3072B of data 

243 07FD89 076A03 Server ACKs; its window is still huge (24,576) 
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FTP1 Trace (cont’d) 


Number 
244-247 
245 


Client sends 4096B of data 
Server ACKs 


076A03 
07FD89 


07FD89 
076A03 


Pattern continues, with occasional instances 
where the Server ACKs after only two 1024B data 
packets from the client. 


076A03 
07FD89 
07FD89 
07FD89 
076A03 
076A03 
076A03 


07FD89 
076A03 
076A03 
076A03 
07FD89 
07FD89 
07FD89 


FIN ACK 
Server ACKS 
Server sends message indicating “FTP transfer complete” (Push) 
Server sends FIN ACK 

Client ACKS (FTP data connection closed) 
Clients ACKs on FTP control circuit 

“FTP Quit” message on control circuit (Push) 


07FD89 076A03 Server says “Goodbye” (Push) 
07FD89 076A03 Sender sends FIN ACK 
076A03 07FD89 Client ACKs 

076A03 07FD89 Client FIN ACKs 

07FD89 076A03 Server ACKs 
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TETP 


A simple protocol to transfer files 
Built on UDP 

Can only read/write files 

Fixed length block sizes 
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1. Net ASCII 
2. Binary 
3. Mail (Net ASCII to User, rather than file) 
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TETP Header/Packet Formats 


2 Bytes String 1 Byte String 1 Byte 
RRQ/ “NETASCI" 
OPCODE = 1/2 Filename “Binary” Q 
WRQ “Mail” 
2 Bytes 2 Bytes n Bytes 
2 Bytes 2 Bytes 
2 Bytes 2 Bytes String 1 Byte 


ERROR [iver Error Code Hitoy Message 


Network 
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A Typical TFTP Transfer Sequence 


Sender Receiver 


_ FILENAME = “File 1” | — 
_ MODE = “NETASCII” 


“DAT 99 


“ACK” 
“DATA” 
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TFTP Transmission Errors 


Sender Receiver 


“File Not Found” (1) 
“Access Violation” (2 


Disk Full or Allocation 


Connection Exceeded” (3) 


Termination ee 
“Tllegal TFTP 
Operation” (4) 


Connection 
Continues 


“Incorrect Source 
Port” 
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TFTP Transfer Identifiers (TIDs) 


Host A Host B 


Chooses TID 
at random (X) 


Destination = 
Well-known TID = 69 


Source TID = X 
Dest TID = Y 
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TETP Traces 
(I +2) 


der Receiver 


Description | 


Number be 


Client does ARP Broadcast looking for PA of 128.1.0.1 


488C11 E58C11 


E58C11 488C11 128.1.0.1 responds with HA = WDES8C11 
488C11 E58C11 Client sends TFTP read request on file “CONFIG.SYS” 
E58C11 488C11 128.1.0.1 sends a data packet with 76B of data 


488C11 ES58C11 Client ACKs 


488C11 
E58C11 
488C11 


ES58C11 
488C11 
E58C1l 


Client does ARP Broadcast looking for PA of 128.1.0.1 

128.1.0.1 responds with HA = WDES8C11 

Client sends TFTP write request on file “JUNK.TXT” 
(abnormal termination)* 


E58C11 
488C11 
E58C11 


488C11 
E58C11 
488C11 


128.1.0.1 ACKs 
Clients sends (writes) 76B of data 
128.1.0.0 ACKs 


* Note: “Abnormal Termination” message 
printed because Decode Module finds extra 
data at the end of the frame which it didn’t expect. 
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The SMTP Model 


Queued 
Message 


To Port 25 


on 
Se ee 


Receiver 
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nee = 
SMTP Conventions 


« Pathnames 
Smith @ NGC.COM is written as @ SRI - NIC.ARPA, @ 
UCLEDU: Smith @ NGC.COM 


« Character Case 


Preserved, but not significant 


¢ Reverse - Path 


A list of hops a message has taken to this point (e.g.: <@ 
SRI-NIC.ARPA, @ UCI.EDU: Smith @ NGC.COM>) 


¢ Forward - Path 
A list of hops a message has yet to take (e.g.: <@ SRI-NIC.ARPA, 
@ UCIEDU: Smith @ NGC.COM>) 
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SMTP Commands 


Allows Sender to identify itself. 

Identifies originator of a message. 

Identifies recipient(s) of a message. 

Transfers message text. 

Specifies that the current transaction should be aborted. 

Requires a message to go to the User’s terminal. 

Sends a message to a User’s terminal (if possible) and the User’s mail box if not. 
Sends a message to both the User’s terminal and the User’s mail box. 

Allows Sender to verify a User. 

Allows Sender to expand a mailing list. 

Allows a receiver to send helpful information to a Sender. 

Performs no real work; used primarily for debugging. 

Allows a Sender to close the SMTP connection. 

Reverses the roles of the Sender and Receiver (once a connection has been established). 
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SMTP Replies 


Reply Format: XYZ: Text Message 


Where: Text message offers an English 


X = First Digit explanation of the code. 
Y = Second Digit 
Z = Third Digit 


¢ First Digit: A Summary Response e Second Digit: More Specific Responses 


1 = Positive Preliminary 1 = Syntax 

2 = Positive Completion 2 = Information 
3 = Positive Intermediate 3 = Unspecified 
4 = Transient Negative Completion 4 = Unspecified 
5 = Permanent Negative Completion 5 = Mail System 


¢ Third Digit: Greater Granularity on the Specific Summary Response 
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SMTP Reply Codes 
(Numeric Order) 


211 System status, or system help reply 
Help message 
(Information on how to use the receiver or the meaning of a particular non-standard 
command, this reply is useful only to the human user) 
220 < domain> Service ready 
221 < domain> /service closing transmission channel 
250 Requested mail action okay, completed 
User not local; will forward to <forward-path> 
354 Start mail input; end with < CRLF>.<CRLF> 
421 < domain> service not available, closing transmission channel 
(This may be a reply to any command if the service knows it must shut down) 
450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy) 
451 Requested action aborted: local error in processing 
Requested action not taken: insufficient system storage 
500 Syntax error, command unrecognized 
(This may include errors such as command line too long) 
m. SOl Syntax error in parameters or arguments 
n. 502 Command not implemented 
o 503 Bad sequence of commands 
Pp. 
q 


ome 
N 
ran 
- 


Soe me Ae 
nN 
wr 
w 


ee 
BS 
Nn 
Nn 


504 Command parameter not implemented 
550 Requested action not taken: mailbox unavailable 
(e.g., mailbox not found, no access) 
r 551 User not local; please try <forward-path> 
s. 552 Requested mail action aborted: exceeded storage allocation 
t. 553 Requested action not taken: mailbox name not allowed 
(e.g., mailbox syntax incorrect) 
u. 554 Transaction failed 


\ 
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SMTP Connection Setup 


Sender Receiver 


Open TCP Connection 


Receiver Ready 


HELO: Sender Name - 


“OK, I believe you” 


Network 
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SMTP Mail Transfer 


Sender Intermediate Hops Receiver 


<CRLF>.<CRLF> fs Message Received) 
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SMTP Intermediate Hops 


Sender @ Domain1 SRI - NIC.ARPA 


UCLEDU Receiver @ Domain2 
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SMTP Connection Close 


Sender Receiver 


“QUIT” cocasenasaccnnbiies 


MACK” 
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—— TY, 
SMTP Forwarding 


Sender Receiver 


- RCPT To: 
_ <Forward - Path> 


User not local: 
will forward to 
<Forward - Path> : 


User not local: 


please try 
<Forward - Path> 
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Displaying Mail Directly on 
User Terminals 


SEND: 
(Send) 
mm) (If user is active) 
SOML: — 
(Send or Mail) : (If user is not 
active) 
Sender 
oe 8 8=—eers—O (If user is active) 
SAML: 
(Send and Mail) 


sis if (In either case) 
Network 
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SMTP Optimizations 


SMTP 
Message 


Many 
Users 
on 
one Host? 


User 1 User 2 User 3 


One 
message 


SMTP 
Messages 


Many 
messages 


One TCP 
Connection 
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SMTP Exercise 


Load the trace file SMTP1.ENC and press F3 twice 


1. In which packet is the message actually sent? 
2. In which packet does the server indicate it is delivering the mail? 
3. In which packet does the server verify the recipient? 


4. Which is the message termination packet? 
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SMTP1 Trace 


076A03 Dso | Syn | —_ 
07FD89 Syn Ack Larcr 3-way handshake 
076A03 ACK 


07FD89 076A03 Send mail server indicates ready (Push) 

076A03 07FD89 Client sends “HELO” message to identify itself (Push) 
07FD89 076A03 Server replies (Push) 

076A03 07FD89 Client indicates who mail is from (Push) 

07FD89 076A03 Server verifies mail Sender is legitimate (Push) 

076A03 07FD89 Client identifies mail Recipient (Push) 

07FD89 076A03 Server verifies mail Recipient is legitimate (Push) 

076A03 07FD89 Client indicates a mail message is coming (Push) 

07FD89 076A03 Server ACKs (TCP) 

07FD89 076A03 Server instructs Sender to end its message with a “*.” (Push) 
076A03 07FD89 Client ACKs and sends message (Push) 

07FD89 076A03 Server ACKs (TCP) 

076A03 07FD89 Message termination packet sent (Push) 

07FD89 076A03 Server verifies that message was received and accepted (Push) 
076A03 07FD89 Client issues command to exit mail utility (Push) 

07FD89 076A03 Server ACKs and Indicates it is delivering mail (Push) 
076A03 07FD89 Client sends “FIN” 

O7FD89 | 076A03 Server ACKs 

07FD89 076A03 Server Sends “FIN” 

076A03 07FD89 Client ACKs 
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Progress in Device Naming 


¢ Names not useful for human 
Actual Physical Addresses understanding. 


¢ Doesn’t work well for large numbers 


of machines. 
Logical Addresses: e¢ Names are convenient and short. 
Flat Name Space 
¢ Doesn’t work well for large numbers 
of machines. 
Logical Addresses: * Efficient name mapping. 
Hierarchical Name Space ¢ Distributed name management. 
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Hierarchical Naming 
The Phone System 


¢ Each exchange assigns its own subscriber numbers. 


e Within an area code, “Abbreviations” are allowed. 
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Resolving Domain Names 


eS a 
= 3 
A Domain Name 
Server has a database 
of Resource Records 
(RRs) that map names 


aetna to addresses and other 
Resolver Software seamed EMirienn 


(If Recursive 
Resolution) 


TCP 
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Top Levels of Domain Space 


ix 


UK 
/\ ISI ‘ i \ | 
¢ Over 30 Domains under the Root. 
¢ The NIC grants authority to other institutions to 
manage names below the second level 
Network 
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DNS Name Format 


Labels Label Fields 


WAS 


i | 


Farthest Closest 
From To 
Root Root 
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Reading Domain Names 


I\\ 7 


L7 L8 L9 


/| 
/\. | 


L10 Lil L12 L13 


\ ¢ Each label may be up to 63 bytes long. 


e Examples: 
— training.ngc.com 
— math.uiowa.edu 


L15 


“L14.L13.L6.L2.” 
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a = 
DNS Message Compression 


Differentiates 
from Labels (0,0) 


Bit number: | 6 1 | 7 8 15 


Data: 


Network 
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Domain Name Caching 


Server 


Resolver 


Les ama 


Workstation 


Network 
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DNS Message Format 


eader 


‘Question Section | The question(s) 
SARC ACESS “<< for the Name Server 
RRs answering the 
question 


“<3 RRs pointing toward 
~¥ an authority 


\uthority Section — 


Additional Information Section | RRs holding | 
SSG RRS << SS additional information 


Feith He RNS SS 
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o———+ | 
DNS Format Expansion 


| Additional Information | 


O 
Network 
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DNS Fields Explained 


Identifier 


QR 
OPCODE 


AA 
(Authoritative Answer): 


TC 
(Truncation) 


RD 
(Recursion Desired) 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 


The Header 


An Identifier assigned by the program that generates any kind of query. Copied 
to the corresponding reply, it is used to match requests and replies. 


Specifies either a query (0) or a response (1). 


Specifies the kind of query: 
0 = Standard (Maps a domain name to a resource) 
1 = Inverse (Maps a resource to a domain name) 
2 = Server Status Request 
3-15 = Reserved for Future Use 


Valid only for responses. Indicates that the responding Name Server is an 
authority for the Domain Name in question. 


Indicates the message was truncated because it was too long for the 
transmission channel. 


Directs the Name Server to pursue the query recursively (support is optional) 


Network 
General 
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DNS Fields Explained 


The Header (cont‘a.) 


RA Indicates that recursion support is available or not. 
(Recursion Available) 


Z Reserved for future use. 


Response Code 0 = No Error 
1 = Format Error (Name Server can’t interpret query) 
2 = Server Failure 
3 = Name Error (Domain Name referenced does not exist) 
4 = Not Implemented (Name Server doesn’t support request) 
5 = Refused (Name Server refuses to execute request for policy reasons) 
6 - 15 = Reserved for future use. 


QDCount Specifies the number of entries in the “Question” Section. 

ANCount Specifies the number of Resource Records in the “Answer” Section. 

NSCount Specifies the number of Resource Records in the “Authority” Records Section. 
ARCount Specifies the number of Resource Records in the “Additional” Records Section. 


Network 
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DNS Fields Explained 


Question Section Format 


A Domain Name represented as a sequence of Labels, where each Label consists 
of a length byte followed by that number of bytes. 


Specifies the type of query (See “DNS Type Codes” slide). 


Speates the class of the query: 
RCLASS = “IN” The Internet 
2 = “CS” The CSNET (obsolete) 
3 = “CH” The CHAOS Class 
4= “HS” HESIOD 
255 = Any Class 


Network 
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DNS Fields Explained 


Resource Record Format 


eld Description 


Variable NAME | The Domain Name to which this RR pertains. 
16 TYPE | An RR Code Type. Specifies the meaning of data in the RDATA Field. (See 
| “DNS Type Codes” slide). 
16 CLASS | Specifies the class of data in the RDATA Field. 
TTL | Time to Live. Specifies the number of seconds the RR can be cached before it 


| should be discarded. 
RDLENGTH _| Specifies the length, in bytes, of the RDATA field. 


Variable RDATA Describes the resource. Format varies according to the type and class of the RR. 


Network 
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ee 


DNS Type Codes 


: a host address 

| an authoritative name server 

a mail destination (obsolete - use MX) 
| a mail forwarder (obsolete - use MX) 

| the canonical name for an alias 

: marks the start of a zone of authority 

| a mailbox domain name (experimental) 
| a mail group member (experimental) 


oO moOnNI DN BP WN 


| a mail rename domain name (experimental) 


— 
So 


| a null RR (experimental) 


_ 
_ 


| a well known service description 


_ 
NY 


a domain name pointer 

host information 

| mailbox or mail list information 
| mail exchange 

text strings 

| NetBIOS name 


eS eas Bias Network 
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DNS Exercise 


Load the trace file DNS3.ENC and press F3 twice 


1. How many of the responses are authoritative responses? 
2. Which DNS reply has the most Resource Records? 
3. How long does it take for the reply to packet 4 to be received? 


4. How about the reply to packet 3? 


5. Why the large discrepancy? 
6 


7. LOTSA.STANFORD.EDU is an alias or nickname for a machine. 
What is the real name for LOTSA.STANFORD.EDU? 


. Did the requester in packet 3 ask for a recursive lookup? 


Network 
General 
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To = 
DNS3 Trace 


| Receiver 
Standard query for name = ??? ? 36.2.0.5 
36.53.0.10 
Standard query for name = ??? 36.53.0.10 
10.0.0.52 
Standard query for HART. PRESS 36.53.0.10 
ID = 33628 192.5.22.82 
Standard mail query for STANFORD.EDU 128.9.0.32 
ID = 204 36.53.0.10 
Authoritative response for the mail query 
36.53.0.10 
ID = 204 128.9.0.32 
Standard query for SUSHI.STANFORD.EDU 36.26.0.53 
ID =0 36.53.0.10 
Authoritative response for “SUSHI. . .” 36.53.0.10 
ID = 0; address is 36.8.0.53 36.26.0.53 
Standard query for LOTSA.STANFORD.EDU 36.27.0.47 
ID =0 36.53.0.10 
Network 
General 
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teceiver: | 


063841 Authoritative response for “LOTSA. . . 36.53.0.10 
ID = 0; address is 36.48.0.1 36.27.0.47 


0027C0 Standard query for LITHO-STANFORD.EDU 36.22.0.116 
ID = 2608 36.53.0.10 


063841 Authoritative response for “LITHO. . .” 36.53.0.10 
ID = 2608; address is 36.22.0.100 36.22.0.116 


0027C0 Standard query for name = ??? 36.2.0.5 
36.53.0.10 


0027C0 Authoritative response for “HART.PRESS” 192.5.25.82 
Name error; ID = 33628 36.53.0.10 


0027CO } 063841 Authoritative response for “HART.PRESS” re rs 


099 36.53.0.10 
0027CO ¢} 063841 Standard query for name??? 26.3.0.103 


063841 0027CO Standard mail query for SUSHILSTANFORD.EDU 36.21.0.20 
ID = 1284 36.53.0.10 
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DNS3 Trace (cont’d) 


ritative response but no answers; 36.53.0.10 
ID = 1284 36.21.0.20 


Standard query for SUSHILSTANFORD.EDU 36.8.0,132 
ID=0 36.53.0.10 


Authoritative response for “SUSHI. . .” 36.53.0.10 
ID = 0; address = 36.8.0.53 36.8.0, 132 
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SNMP History 


1/87 3/87 1/88 3/88 9/88 Present 
NYSERNET begins Several SGMP operational.  Intemet Activities First SNMP products CMIP still a 
operation. NYSERNET Board (IAB) agrees introduced at Interop “FUTURE” ; 

organizations and that SGMP (SNMP) '88 by Proteon, SNMP 

Proteon start Se ‘eluate 4 Wollongong, a defacto 

developing SGMP. pe ere aoe Wellfleet and FTP standard 


CMIP is long-term 
Intemet network 
management 
solution. 


Software. 


© 
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SNMP Design Objectives 


Design Goal: Led To: 


Good Response Time 


| 
Making SNMP stateless 


Ability to manage a faltering network | 
Simplicity, low device overhead Putting intelligence in managers | 
rather than managed devices. | 


Use of standards Choosing ASN.1 as 
presentation layer and 


Ease of migration to OSI (CMIP) Pirin bar (MIB). 
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SNMP Model 


Network 
Element 


Network Management Station 


TONOHOR'0 
442m 


P 
RE Manager 
Network Gel Sen ii T Ses : 
; ie 
Element st 
P 
BRE 
ON | Response 
TT i-—_——> 
Ol 
CT 
a O Y 
L 


Network 
Element 


| Response 


mOnNoOHOoxn' 
~4e-9zim 
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Se aa a a 5 Oe ET EIT ITS 
TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 SNMP-4 General 


$ . ff U. . 4 vine © Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


SNMP Messages 
Agent Manager 


Request 


Get - Next 


Contains the values of 
the requested variables, 


Response 


Network 
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SNMP Fields Defined 
(Commands 0 - 3) 


Version 


Variable Community An SNMP Agent along with an associated set of SNMP applications. 
16 Command 0 = Get Request 
1 = Get Next Request 
2 = Get Response 
3 = Set Request 
48 Request ID Allows SNMP application entities to correlate incoming responses with 
outstanding requests. 
24 Error Status 0 =No Error 
1 = Too Big 
2 = No Such Name 
3 = Bad Value 
4 = Read Only 
5 = Generic Error 
24 Error Index For errors, the index of an object name component in the received message. 
(Only valid for GetResponse PDUs). 
Variable Variable Bindings Variable name/variable value pairings. 
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SNMP Fields Defined 
(Command 4) 


Version 0 
Variable Community An SNMP Agent along with an associated set of SNMP applications. 
16 Command 4=Trap 
Variable Enterprise The type of object generating the trap 
48 Agent Address The address of the object generating the trap 
48 Trap Type 0 = Cold Start 4 = Authentication Failure 


(Generic) 1 = Warm Start 5 = EGP Neighbor Loss 
3 = Link Up 6 = Enterprise Specific 


Specific Trap Trap specific code. 


Time Stamp Time elapsed between the last (RE) initialization of the network 
entity and the generation of the trap. 


Variable Bindings Variable name/variable value pairings. 


©) 
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MIB Object Identifiers 


ae 


ISO(1) =CCITT 


4 


Internet (1) 


ISO/CCITT 


ea 


Directory (1) prunige met (2) Experimental (3) Private (4) 


First & second versions (1) 
(MIB I & Il) 
(Reserved for | 
Directory use) 
(Used to identify objects which 


are defined in [AB-approved 
documents) 


(Used to identify (Used to identify 
objects used in objects defined by 
Internet experiments) private vendors) 
Enterprise (1) 


Individual Vendor 


Products Network 
SG RR PB SY 
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Each MIB Object Has... 


A Name: (Identifies the object) 
“SYSDESCR _ 1.3.6.1.2.1.1.1” 
Object Descriptor Object Identifier 


e A Syntax: 


¢ An Encoding: 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 


(Defines the object’s structure) 
“Octet String” “Integer” 


(An object’s representation, using the object’s 
syntax) 

“The local IP address for this TCP connection” 
“Read only” 

“Mandatory” 


Network 
General 


Object: 
Syntax: 


Definition: 


Access: 
Status: 


Object: 
Syntax: 


Definition: 


Access: 
Status: 


Object: 
Syntax: 


Definition: 


Access: 
Status: 


SEA | 
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MIB Object Type Examples 


At PhysAddress 

Octet String 

The media-dependent “Physical” address 
Read-Write 

Mandatory 


TCPConnLocalAddress 

Integer (0...65535) 

The local IP address for this TCP connection 
Read only 

Mandatory 


IPAddrEntry 
Sequence { 
IPAdEntAddr, (IP address) 
IPAdEntlfIndex, (Integer) 
IPAdEntNetMask, (IP address) 
IPAdEntBcastAddr, (Integer) 
The addressing information for one of this entity's IP addresses 
Read-only 
Mandatory 


SNMP-10 


@ 
Network 
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MIB Objects 
RFC 1213-MIB II 


1.3.6.1.2.1. 


en 


Address 
System (1) Interfaces (2) Translation (3) IP (4) ICMP(5) TCP (6) UDP(7) EGP(8) Xmission (10) SNMP (11) 
SysDescr (1) IfNumber (1) ATTable (1) ICMPInMsgs (1) EGPInMsgs (1) 


SysObjectID 2) bp IrTable (2) ATEntry (1) ICMPinErrors (2) EGPInErs (2) 
SysUptime (3) IfEntry(1) 
IfIndex (1) IPForwarding (1) TCPRtoAlgorithm (1) UDPInDatagrams (1) SNMPInPkts (1) 
IfDeser (2 
silos cplatiiieleshet TCPRtoMin (2) UDPNoPorts (2) SNMPOutPkts (2) 
TPInReceives (3) . 
‘ TCPRtoMax (3) UDPInErrs (3) e 


IPAddrTable (20) SNMPOutTraps (29) 


IPAddrEntry (1) 


©) 
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SNMP Exercise 


Load the trace file SNMP.ENC and press F3 twice. 


1. Find the reply to packet 4. How many errors has 130.128.1.1 seen on frames 
coming into its interface card (ifInErrors)? 


2. How many errors has 130.128.1.1 seen on frames going out of its interface card 
(ifOutErrors)? 


3. What might cause errors on frames going out of an interface card on Ethernet? 


4. Find the reply to packet 19. What value does 130.128.1.1 have in its routing table 
for the next hop to network 130.128.0.0 (ipRouteNextHop for 130.128.0.0)? 


Network 
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SNMP Exercise (continued) 


5. Explain the value that 130.128.1.1 has in its routing table for the next hop to 
network 130.128.0.0. 


6. Find the reply to packet 24. What value does 130.128.1.1 have in its routing table 
for the next hop to network 0.0.0.0 (ipRouteNextHop for 0.0.0.0)? 


7. What is the significance of 0.0.0.0 in an IP routing table? 


O 
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O7F2F1 {| O1E954 TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 
01E954 {| O7F2Fl {| GetNext TCP Conn Rem Addr + TCP Conn State 

O7F2F1 {| 00394E TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 
00394E { O7F2Fl j Get “If In Errors” and “If Out Errors” 

00394E {| O7F2Fl1 ; Get Next TCP Conn Rem Addr + TCP Conn State 

O7F2F1 {| O1E954 4 TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 
01E954 | O7F2Fl { Get Next TCP Conn Rem Addr + TCP Conn State 

07F2F1 {| 00394E If In Errors = 0 Packets; If Out Errors = 0 Packets 

O7F2F1 {| 00394E }; TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 
00394E | O7F2Fl1 { GetNext TCP Conn Rem Addr + TCP Conn State 

O7F2F1 {| O1E954 % TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 
01E954 | O7F2Fl { GetNext TCP Conn Rem Addr + TCP Conn State 

O7F2F1 {| 00394E { TCP Conn Rem Addr = 0.0.0.0; TCP Conn State = “Listen” 


OMmAANMBEWNHH 


07F2F1 | O1E954 | TCP Conn Rem Addr = 130.138.44.10; TCP Conn State = “Established” 
01E954 | O7F2F1 | Get IP Route Next Hop (130.128.0.0) 


O7F2F1 | O1E954 | No suchname (IP Route Next Hop 130.128.0.0) 


© 
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SNMP Trace (cont'd) 


O1E954 | O7F2F1 Get IP Route Next Hop (0.0.0.0) 


O7F2F1 | O1E954 IP Route Next Hop (130.128.1.2) 


042DF4 | O1E954 | Get ICMPINECHOS 
01E954 042DF4 ICMPINECHOS = 8 messages 


01E954 | 042DF4 Get IPADENTININDEX (192.32.99.10) 
042DF4 | 01E954 ICMP destination unreachable (why?) 
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Provides Information on Remote Hosts. 


RLOGIN 


A terminal emulation protocol, similar to 
“TELNET”. 
RSH A protocol allowing execution of commands on 
a Remote Host. 


A protocol allowing the remote reporting of 
statistics. 


A remote copy protocol, similar to “FTP”. 


@ 
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RWHO 
(Remote Who) 


(Updates database) 
(Updates database) 


¢ Provides information about remote hosts 
¢ Usually sent once a minute 
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RWHO Frame Format 


Version RWHO Program Version. 
Type Packet type 
Send Time Time packet was sent. 
Receive Time Time packet was received 
256 (32B) Host Name The internet name of the packet's sender. 
96 (12B) Load Average The average Host load at 5, 10, and 15- minute intervals. 
32 Boot Time Time the Host was last booted. 


Variable User Information Information about Users on the system. 
(24B each line) 


©) 
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RWHO Exercise 


Load the trace file RWHO1.ENC and press F3 twice. 
1. How many seconds went by between the 4th and 5th “RWHO” message in this trace? 


2. How many users are logged on to the RWHO Host called GATEWAY? 
(Note: Don’t let the name confuse you. This particular device (192.42.252.3) provides 
both gateway and server functions.) 


3. Are these users doing any computation? 


4. How can you tell? 


@ 
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04F4CC 


04F4CC 


04F4CC 


04F4CC 


04F4CC 


Broadcast 


Broadcast 


Broadcast 


Broadcast 


Broadcast 
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A Brief History Of The NFS Protocols 


November 
1984 1985 1987 1990 
Announced by Locking Incorporated Currently over 
Sun Microsystems; mechanism into ONC 200 implementations 
Specs put into public domain family of on most major 


protocols operating systems 
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ONC (NES) Protocol Family 


Application 


Presentation 


Session 


NFS: A group of procedure calls that provide transparent, remote access to filesystems 


Network Information Services: A distributed directory service. 


Status Monitor: Allows applications to monitor the status of other machines. 

Lock Manager: Works with the status monitor to ensure correct recovery of file locking information after a client or 
server crash. 

XDR: A data representation language allowing consistent information representation between different NFS 
implementations. 

RPC: A transport-independent messaging protocol which allows transparent communication between a 


client and server by bundling and transporting procedure calls parameters between the two. 


\ 
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Other Sun Application Layer Protocols 


¢ Network Disk (ND) 
— Used to access virtual disks located remotely across the 
network, and to boot diskless workstations 


¢ Port Mapper (PMAP) 
— Maps RPC program numbers to TCP or UDP port numbers 


e Mount 
— Used during initialization of a remote user’s access to a 
network disk, including access checking and account validation 
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NFS Definitions 


¢ “Server” 
— A piece of software where network services are implemented. 


¢ “Client” 
— A piece of software that initiates remote procedure calls to servers. 


¢ “Network Service” 
— Acollection of one or more remote programs (e.g., "Network File Service"). 


« “Remote Program” 


— AnRPC - based application program (e.g., NFS, NIS, Lock Manager) which 
implements one or more remote procedures. 


¢ ‘Remote Procedure” 
— A subroutine which performs work for a remote program (e.g., ''Write Data"). 
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RPC: Definition and Motivation 


e Provides a mechanism for communication between 
distributed processes 


e Provides a familiar model for distributed applications 


- Extends the familiar programming model of a 
procedure call to distributed applications 


e Hides details of programming on the network 


- Programmer does not need to learn about networking 


Network 
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The RPC Model 


Local Procedure Calls 


Main Program 


Pas Procedure A ( ) 


ae Procedure B(_ ) 
Procedure B ( ae . 
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Remote Procedure Calls 
Computer A Computer B 


Main Program 


oe 


. RPC 
Procedure A <a Procedure A() 


(waits) 


“ RPC 
Call 


: Re Oe eres 
evvvecccceraecneasceeeece EBON 
Procedure B Cail Procedure B(_ ) 
(waits) 
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RPC Protocol Messages 


Computer A Computer B 


RPC-Based Application RPC-Based Application 


RPC RPC 
Reply RPC Request 
Cali eget Call 
Processing Call Processing 


Network 
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RPC “Call’’ Message Fields 


Nam 


Transaction ID Used to match “Calls” with “Replies”. 


Type 0 (call) 


Version The version of the RPC Program (Must be “2”). 
Program The identification number of the application program using RPC. 
Procedure The application program procedure number. 


Authentication 0 =NULL 


Credentials 1 = UNIX 
Flavor 2 = SHORT 
3 = DES 
Authentication The number of bytes of credential authentication data to follow 

Credentials 

Byte Count 
Network 
General 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 RPC -5 


Variable Authentication 
Credentials 
Data 


Authentication 
Verification 
Flavor 


Authentication 
Verification 
Byte Count 


Variable Authentication 


Verification 
Data 
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Authentication data 


0 =NULL 

1 = UNIX 
2 =SHORT 
3 = DES 


The number of bytes of authentication verification data 
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RPC “Reply” Message Fields 


Transaction ID Used to match “Calls” with “Replies”. 


Type 1 = Reply 


0 = Accepted 
Status 1 = Denied 


0=NULL 
Authentication 1 = UNIX 
Credentials 2 = SHORT 
Flavor 3 = DES 


Authentication The number of bytes of verification authentication. 
Credentials 
Byte Count 


Variable Authentication 
Verification 
Data 


Accept Status 0 = Success 
1 = Program Unavailable 
2 = Program Version Mismatch 
3 = Procedure Unavailable 
4 = Garbage Arguments to Procedure 


\ 
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RPC Generator 


e SunOS provides rpcgen (Remote Procedure Call 
Generator) for programmers. 


e The programmer writes software using the RPC 
Language; rpcgen produces C language output, 
including skeleton versions of the client and server 
routines. 


e Running the command rpcgen prototype.x generates the 
following source code files: 


prototype.h header file 
prototype_xdr.c XDR routines 
prototype_svc.c server side skeleton 
prototype_clnt.c client side skeleton 


Network 
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Registered RPC Programs 


Program 

RPC Number iia: Description RPC Number Description 
100000 PMAPPROG portmapper 100026 BOOTPARAMPROG boot parameters service 
100001 RSTATPROG remote stats 100027 MAZEPROG mazewars game 
100002 RUSERSPROG remote users 100028 YPUPDATEPROG up update 
100003 NFSPROG nfs 100029 KEYSERVEPROG key server 
100004 YPPROG Yellow Pages 100030 SECURECMDPROG secure login 
100005 MOUNTPROG mount demon 100031 NETFWDIPROG nfs net forwarder init 
100006 DBXPROG remote dbx 100032 NETFWDTPROG nfs net forwarder trans 
100007 YBINDPROG yp binder 100033 SUNLINKMAP_PROG sunlink MAP 
100008 WALLPROG shutdown msg 100034. = NETMONPROG network monitor 
100009 YPPASSWDPROG yppasswd server 100035 DBASEPROG lightweight database 
100010 ETHERSTATPROG ether stats 100036 PWDAUTHPROG password authorization 
100011 RQUOTAPROG disk quotas 100037 TFSPROG translucent file svc 
100012 SPRAYPROG spray packets 100038 NSEPROG nse server 
100013 IBM3270PROG 3270 mapper 100039 NSE_ACTIVATE_PROG __ nse activate daemon 
100014 IBMRJEPROG RJE mapper 
100015 SELNSVCPROG selection service 150001 PCNFSDPROG pc passwd authorization 
100016 RDATABASEPROG remote database access 
100017 REXECPROG remote execution 200000 PYRAMIDLOCKINGPROG Pyramid-locking 
100018 ALICEPROG Alice Office Automation 200001 PYRAMIDSYSS5 Pyramid-sys5 
100019 SCHEDPROG scheduling service 200002 CADDS_IMAGE CV cadds_image 
100020 LOCKPROG local lock manager 
100021 NETLOCK PROG network lock manager 300001 ADT_RFLOCKPROG ADT file locking 
100022 X25PROG x.25 inr protocol 
100023 STATMONIPROG status monitor 1 
100024 STATMON2PROG status monitor 2 
100025 SELNLIBROG selection library 


Source: ONCINFS Protocol Specifications and Services Manual, Revision A (7-29-88), Table 3.2, pp 62-63 
Also available in the file /etc/rpc 
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Call 
Accepted 
” 


Call 
Suuccecded 
J 


Reasons: 
. Program Unavailable 
um Version Mismatch 
fure Unavailable 
Arguments 
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Port Mapper 


Status Lock 
Monitor Manager 
Version Version 
2 2 2 


NFS 
Version 


NPS Status Lock 


Port Monitor Manager RPC 


ie Por Ez Port Cie 


Allows client programs 
to find associated 
server programs. 


UDP 
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Troubleshooting RPC 


rpcinfo makes an RPC call to a server and reports what it finds 


Options: 

—p Probe the PortMapper on the host, and print a list of all registered RPC programs 
—u Make an RPC call to procedure 0 of the specified program using UDP 

—-t Make an RPC call to procedure 0 of the specified program using TCP 

—n Use specified port number as the port number 


—b Make an RPC broadcast call to procedure 0 of the specified program and version 
using UDP and report all hosts that respond 


Network 
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RPC Exercise 
Trace File: C\CAPTURE\TC103\NIBROC.ENC 


1. Using managed names, change the name 129.144.40.241 to Hostl. 


2. Look at the Port Mapper data in frames 2 and 3. What port number does Host! tell Virago to use for 
the Mount program? (RPC program 100005) 


3. In frame 4, what is the UDP destination port number? 
4. In frame 4, what version of the Mount program does Virago use? 


5. Why did the Mount command in frame 4 fail? By the way don't be misled by the Sniffer saying frame 
5 is too short. The Sniffer is pointing out that the real data ends before the actual end of the frame. 
There are some extra bytes beyond the end of the RPC header. 
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RPC Exercise (cont’d) 


6. In frame 6, what version of the Mount program does Virago use? 


7. Was the Mount command in frame 6 successful? 
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XDR Basics 


¢ A standard (RFC 1014) for the description and 
encoding of data. 


e Similar to OSI’s ASN.1 in purpose. 
¢ Uses a language to describe data formats. 


¢ Allows machines which represent data in different 
ways to communicate. 


e Has been used to communicate data between such 
diverse machines as the Sun Workstation, VAX, 
IBM-PC, and Cray 


Network 
SS SE ea a SE 
TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 XDR -2 General 


© Copyright 1990 - 1994 Network General Corponation. All rights reserved. 


XDR Basics 
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Some XDR Definitions 


¢ XDR items are always a multiple of four bytes in length 
e Variable-length data must be padded with zeros 


e Byte order is always Big-Endian - the most significant 
(left-most) byte comes first. This is the standard for 
Motorola and SPARC chips, and IBM mainframes. It 
requires translation for Intel chips and DEC VAX 
computers. 
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Sun’s XDR Library 


¢ Used by programmers to guarantee data portability 


e Allows a program to read and write arbitrary C constructs in 
a consistent, specified, well-documented manner 


e Has filter routines for strings (null-terminated arrays of 
bytes), structures, unions, arrays, etc. 


Network 
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How Does NFS Work? 


Lie 


—_________. “Export” a (2) 
rib Mount Point 


SSMU? arene 


sei reeeacemencoceane sent eT ASEAN 


Transparent Network Operations 
in the form of 


Server Procedures 
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Sun NES Architecture 


System Calls 
VFS Interface 


Other 
VFS 
(Like PC-FS) 
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NES Design Goals 


e An NFS server is stateless - it does not remember previous 
calls; in general, this provides good performance. 


e An NFS server writes data to the hard drive first and then 
acknowledges - this takes longer, but the response means the 
write really happened. 


© An NFS client “reads ahead” - reads 8K bytes into the client 
memory cache. This improves performance. 


e An NFS client “writes behind” - sends data when 8K bytes have 
accumulated to send, or a timeout occurs. The NFS client 
software returns a response to the application before the write 
has really occurred. Some applications incorrectly process error 
messages that happen later when the NFS client actually 
attempts to send the data. 


f C) 
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NES Server Procedures 


Allows server response testing and timing 
Get file attributes Allows client to determine a server file's attributes 
Set file attributes Allows client to set (some of) a server file’s attributes 
Get filesystem root Obsolete. Requires moving pathnames between client and server 
Look up file name Allows client to perform a directory look-up on a file 
Read from symbolic link | Allows client to read data from a file pointed to by a symbolic link 
Read from file Allows client to read data from a file 
Write to cache Will be used in NFS Version 3; not used in Version 2 
Write to file Allows client to write data in a server file 
Create file Allows client to create a new file on a server 
Remove file Allows client to remove a file from a server 
Rename file Allows client to rename a file on a server 
Create link to file Allows client to create a file which is a link to another file 
Create symbolic link Allows client to create a file which is a symbolic link 
Create directory Allows client to create a directory on a server 
Remove directory Allows client to remove a directory on a server 
Read from directory Allows client to read some entries in a server directory 
Get filesystem attributes | Allows client to inspect the attributes of a server 


0 
1 
2 
3 
4 
5 
6 
7 
8 
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“Mount” Server Procedures 


rocedure Functionalit) 


Do nothing Allows server response testing and timing 


Add Mount Entry Adds another filesystem to the list of remote filesystems a client 
can access 


Return Mount Entries Allows a client to inspect its list of mounted filesystems 


Remove Mount Entry Deletes a filesystem from the list of remote filesystems a client 
can access 


Remove all Mount Entries | Deletes all filesystems from the list of remote filesystems a client 
can access 


Return Export List Allows a client to inspect the list of remote filesystems offered by 
a particular server 


Network 
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State-Related Problems With 
File locking in a Network Context 


(A’s locks held forever) 


(Loses all its lock information) 
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| —j\ 
NES Locking Service Architecture 


StationA Station B 
Local Local 
Applications Applications 
Lock Lock 
Requests Requests 
Lack RPC Lock Requests Lock 
Manager Manager 
Status Status Status Lineal 
Monitor essagek Monitor : 
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NFS Version 3 Protocol 


e New version from Sun Microsystems in 1994 


e 64-bit file-size field to support larger files. Also, 
restrictions on file transfer sizes have been relaxed. 


¢ Better security, including a new call to the server to 
check access rights. 


¢ Number of packets on the network is reduced by 
returning file attributes on every operation. (Reduces 
requests to get modified attributes.) 


e Write throughput bottleneck reduced by allowing “safe 
asynchronous writes.” Server can respond to write 
request before actually writing data to the hard drive. 


e Sniffer Analyzer 4.4 and above decodes NES Version 3. 


© 
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NFS Performance Factors 


e NES message size 

¢ Retry interval 

¢ Timeout interval 

¢ Relative client/server speed 


e Network/Gateway loading 


¢ Network MTU (Maximum Transmission Unit) 


Network 
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Common NES Problems 


¢ Delayed duplicates in non-idempotent situations 


e Timeouts due to large transfer size (8192B) and 
fragmentation and reassembly or gateway delays 


¢ Implementation incompatibilities 


Network 
TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 NFS - 11 General 


*4 ™ © Copyright 1990 - 1994 Network General Corponation. All rights reserved. 


NFS Troubleshooting 


¢ Does the problem involve NFS implementations by 
different vendors? If so, check for incompatibilities 


¢ Check gateway/router queues 


e Has a server or network segment crashed? 
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NES Troubleshooting 


¢ showmount issued on the server shows all file systems 
currently mounted by remote hosts 


¢ showmount issued with a hostname shows all the file 
systems currently mounted by that host 


¢ showmount issued with a directory name shows all the 
hosts currently mounting that directory 


¢ showmount - e hostname reports all the file systems that 
are exported by that host 


Network 
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NES Troubleshooting (nfsstat) 


—— | 


nfsstat displays statistical information about the NFS and RPC interfaces to the kernel. 


OPTIONS: 


-c Display client information. Only the client side NFS and RPC information 
printed. Can be combined with the -n and -r options to print client NFS or 
information only. 


will be 
client RPC 


-m Display statistics for each NFS mounted file system. This includes the server name and 
address, mount flags, current read and write sizes, the retransmission count, and the 
timers used for dynamic retransmission. The srtt value contains the smoothed round trip 
time, the dev value contains the estimated deviation, and the cur value is the current 


backed-off retransmission value. 


-n Display NFS information. NFS information for both the client and server side will be 


printed. Can be combined with the -c and -s options to print client or serve 
information only. 


-r Display RPC information. 


-s Display server information. 


rt NFS 


-Z Zero (reinitialize) statistics. This option is for use by the super-user only, and can be 
combined with the above options to zero particular sets of statistics after printing them. 


Source: nfsstat man page Sun Release 4.1 Last change: 7 October 1990 
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nfsstat (continued) 


THE SERVER RPC DISPLAY INCLUDES THE FOLLOWING FIELDS: 


calls The total number of RPC calls received. 


badcalls The total number of calls rejected by the RPC layer (the sum of badlen and 
xdrcall as defined below). 


nullrecv The number of times an RPC call was not available when it was thought to 
be received. 


badlen The number of RPC calls with a length shorter than a minimum-sized RPC 
call. 


xdrcall The number of RPC calls whose header could not be XDR decoded. 


Network 
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nfsstat (continued) 


THE CLIENT RPC DISPLAY INCLUDES THE FOLLOWING FIELDS: 


calls The total number of RPC calls made. 
badcalls The total number of calls rejected by the RPC layer. 


retrans The number of times acall had to be retransmitted due to a timeout while 
waiting for a reply from the server. 


badxid The number of times a reply from a server was received which did not 
correspond to any outstanding call. 


timeout The number of times a call timed out while waiting for a reply from the 
server. 


wait The number of times a call had to wait because no client handle was 
available. 


newcred The number of times authentication information had to be refreshed. 


timers The number of times the calculated time-out value was greater than or equal 
to the minimum specified time-out value for a call. 
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nfsstat (continued) 


THE SERVER NFS DISPLAY SHOWS: 
calls The total number of NFS calls received. 
badcalls The total number of calls rejected by the NFS layer. 


counts Counts and percentages for the various NFS procedures that were 
called. For example, how many Reads were there and what % of all 
the calls made were Reads. 


THE CLIENT NFS DISPLAY SHOWS: 

calls The total number of NFS calls made. 

badcalls The total number of calls rejected by the NFS layer. 

nclget The number of times a client handle was received. 

nclsleep The number of times a call had to sleep while awaiting a handle. 
counts Counts and percentages for the various NFS procedure calls made. 
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Sniffer University 
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C:\CAPTURE\TC103\NFSCMDS Trace (1) 
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Client 
Server 
Client 
Server 
Client 
Server 
Client 
Server 
Client 
Server 
Client 
Server 
Client 
Server 
Client 
Server 


Get filesystem attributes (17) 
Filesystem attributes returned 

Get file attributes (1) 

File attributes returned (Directory) 
Look up file name “SRCSUN3” (4) 
“SRCSUN3” is a Directory 

Look up file name “BINDIST” (4) 
“BINDIST” is a Directory 

Get file attributes (1) 

File attributes returned (Directory) 
Read from directory “SRCSUN3” (16) 
5 entries in directory 

Look up file name “ETC” (4) 
“ETC” is a Directory 

Look up file name “BIN” 

“BIN” is a directory 
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a NFSCMDS Trace (2) 


Look up file name “Sniffmaster’” (4) 
= Sniffmaster is a directory 
Client Read from directory “BINDIST” (16) 
ae Server 0 entries in directory 
Client Get file attributes (1) 
Server File attributes returned (directory) 
~ Client Read from directory (16) 
Server 4 entries in directory 
Client Look up filename “README” (4) 
o~ Server “README” information returned 
Client Look up filename “.ROOTMENU.EXAMPLE” (4) 
a Server *““ROOTMENU.EXAMPLE” information returned 
Client Read from directory (16) 
Server 0 entries in directory 
~ Client Get file attributes (1) 
Server File Attributes returned 
Client Read 8192 bytes at offset = 0 (6) 
= Server 130B of data read 
-~ Network 
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Get filesystem attributes (17) 
Filesystem attributes returned 
Get file attributes (1) 

File attributes returned (directory) 
Look up file name "MKTG" (4) 
No such file 

Create directory "MKTG" (14) 
Directory created 

Get file attributes (1) 

File attributes returned (directory) 
Get file attributes (1) 

File attributes returned (directory) 
Look up file name "TEST" (4) 
No such file 

Look up file name "TEST" (4) 
No such file 

Look up file name "TEST" (4) 
No such file 
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NFSCMDS Trace (4) 


Create file "TEST (9) 
Server File "TEST" created 
Client Get file attributes (1) 
Server File attributes returned (regular file) 
Client Write 108B at offset 0 in "TEST" (8) 
Server 108B written 
Client Get file attributes (1) 
Server File attributes returned (directory) 
Client Set file attributes (2) 
Server File Attributes Set 
Client Get file attributes (1) 
Server File attributes returned (directory) 
Client Look up file name "TEST2" (4) 
Server No such file 
Client Look up file name "TEST" (4) 
Server "TEST" information returned 
Client Look up file name "TEST2" (4) 
Server No such file 
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NESCMDS Trace (5) 


Command Number Originator —_——Description 


Client Look up file name “TEST2” (4) 
Server No such file 

Client Rename file “TEST” to “TEST2” (11) 
Server File renamed 

Client Get file attributes (1) 

Server File attributes returned (directory) 
Client Look up file name “TEST2” (4) 
Server “TEST2” information returned 
Client Remove file “TEST2” (10) 
Server File “TEST2” removed 

Client Remove directory “MKTG” (15) 
Server Directory “MKTG” removed 
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The NIBROC Troubleshooting Exercise 


Problem: Client hangs in the middle of an NFS write 
Trace File: C\CAPTURE\TC103\NIBROC.ENC 


Hint(s): 1. Virago client is trying to write a file (“junk”) onto an IBM_ mainframe 
that is running the MVS operating system and NFS server software. 


2. MVS can’t write “holes” in files, like UNIX can 


Because of a (now fixed) problem with SUNOS virtual memory, Sun 
NFS occasionally writes blocks of less than 8192B 


4. NFS implementations usually utilize 4 I/O daemons for I/O 
operations, each of which operates relatively independently. 


1. In which packet does Virago start writing to file “junk” on Sun 06442F 
(129.144.40.241)(Host1)? 


2. What is a possible explanation for the fact that many writes are not continuous? 


Network 
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3. To which write does the response in packet 70 apply? 
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The NIBROC Troubleshooting Exercise 
(cont'd) 


4. About how far behind does the sender typically allow the receiver to get? 
5. In frame 140, Virago writes 5120 bytes at offset 122880 in the file. What is peculiar about this? 


6. In frame 144 Virago writes 8192 at offset 131072 in the file. Does Virago ever fill in bytes 128000-131071? 


7. Compare packets 253 and 289. Now compare packets 265 and 295. Look at other packets which follow. What 
has happened? 


8. When was the last NFS response from Host! received? 
9. What material does it acknowledge? 


10. After what packet does the transmitter pause? 


Network 
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The NIBROC Troubleshooting Exercise 
(cont'd) 


11. What happens in packets 403-409? 


12. What happens starting in packet 414? 


13. What has gone wrong here? 


Network 
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The Readhang Troubleshooting Exercise ~ 


Lm, 
Problem: — Client hangs during file access to NFS server 
running a new NES implementation. 
Trace File = C\CAPTURE\TC103\READHANG.ENC 
a. 
Hint: NFS uses the “Modification Time” attribute to tell it when to update its data cache. 
The modification time indicator should only change when the file is altered. 
1. What is the mod time returned in packet 10? 
2. What is the mod time returned in packet 12? 
3. How does the mod time change in each of the other Read responses in the rest of the trace? 
(Hint: Notice the Read offset in packets 11 & 19, as well as 27 & 36. Why is the client re-reading the same 
portion of the file from the server?) s 
Network - 
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Network Information Services 
(Formerly “Yellow Pages”’) 


wtih asansen Client 


Slave 
Server 
| i oe | 


“= Client 


Slave — 
+ Server ~«- Client 


~~ Client 
Slave 
Server 
| i i oi. 


steal Client 


Maps 
¢ Replicated Data Lookup Service. 


¢ Files containing relationships are called ““Maps”. 


¢ NFS can be used without NIS ‘ 
Network 
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NIS Server Processes 


* ypinit — initial build and installation of an NIS server 


ypinit -m (create a new master server) 


ypinit -s (create a new slave server) 


¢ makedbm - utility to change text files into NIS dbm map 
(database) files at master server 


* ypserv — server process, runs as a daemon 


° rpc.ypupdated — daemon for changing map entries @ master 
server; updates slaves if they are out of date 


* yppush — propagate data from master to slave NIS server 


¢ ypxfr - transfer data from master to this slave NIS server 
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NIS Client Processes 


e ypbind — binding process, runs as a daemon, finds an 
NIS server by sending an RPC PortMapper broadcast 
message 


¢ ypcat — lets user list data in a map 


e ypwhich — lets user list the name of the server the client 
is currently bound to and the maps served by that NIS 
server 


e ypset - lets user set binding to a particular server 


Network 
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NIS Use of RPC/XDR 


¢ Uses UDP and TCP transports 


— TCP is used for transferring maps 
— UDP is used for everything else 


e Uses several RPC facilities 


— Callback RPC for map transfer 
— Broadcast RPC for binding to servers 
— Directed procedure call for everything else 


Network 
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| Sample NIS Maps 


¢ bootparams — pathnames of files clients need to boot 

¢ ether.byaddr — machine names and Ethernet addresses 

¢ group.byname — group security information 

¢ hosts.byname — host names and IP addresses 

¢ miail.aliases — aliases & mail addresses 

¢ netid.byname — machine name, mail address, used for security 
¢ netmasks.byaddr — IP subnetwork masks 

¢ passwd.byuid — passwords and user IDs 

¢ rpc.bynumber — RPC program names and numbers 


* ypservers — NIS servers known to your network 
¢ ete. 


Network 
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Internet Addresses 
27.8.4.7 


27.8.4.12 
27.8.4.22 
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NIS Domains 


e ANIS Domain is a named set of Maps. 


¢ Default domain for each host set at boot time. 
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Common NIS Problems and Solutions 


1. Client Hangs 


2. YP Service Unavailable 


3. “YPBIND” Crashes 


4. Different versions of a map 


5. “YPSERV” Crashes 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 


Check to see if the network has at least one NIS Server. 
Check to see whether any NIS Servers in the network are running. 
Check to see whether the Client and Server's “DOMAINNAMES” match. 


Check to see if “YPBIND” process is running. 


Check to see if the “PORTMAP” Daemon is running. 
If PORTMAP is running, ensure that “YPBIND” has been able to register 
its services with PORTMAP. 


Check internetwork connections to see whether a link is down, preventing 
the Server map update process from occurring. 


See “3a” and “3b”. 
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color 
color 
jackiemac 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
jackiemac 


1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 


130.43.4.255 
130.43.4.255 
color 

color 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
jackiemac 
color 
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PMAP C Call PROG=100004, VERS=2, PROC=2 
PMAP C Call PROG=100004, VERS=1, PROC=2 
PMAP R PORT=1194 

PMAP R PORT=1194 

NIS C Do nothing 

NIS ROK 

NIS C Do nothing 

NIS ROK 

NIS_ C Do nothing 

NIS ROK 

NIS_ C Lookup key support.apple.com.hosts. byname 
NIS ROK 

NIS_ C Lookup key support.apple.com.rpc.bynumber 
NIS ROK 


Objective: Examine traffic when a NIS client is able to access the NIS Server software 


Configuration: The NIS Server is station jackiemac.support.apple.com, IP address 
130.43.4.76. The client is color, IP address 130.43.4.31. 


Procedure: Load the file: CN\CAPTURE\TC103\WORKS.ENC 
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Exercise One (cont’d) ; 


1. What program is the client software trying to find in frames 1 and 2? 
2. Does the client software get a response to these queries? 
3. In most cases what transport layer runs below Network Information Services (NIS)? 


4. What does the user do in frames 75-127. Hints: “Man” is the UNIX manual pages. 
Hex 7F is delete. Hex 08 is backspace. 


5. What is a possible explanation for frames 137 and 154 using TCP as the transport layer 
instead of UDP? 
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130.43.4.200) 130.43.4.255 


130.43.4.255 
130.43.4.255 
130.43.4.255 
130.43.4.255 


RIP R Routing entries=1 

PMAP C Call PROG=100004, VERS=1, PROC=2 
PMAP C Call PROG=100004, VERS=1, PROC=2 
PMAP C Call PROG=100004, VERS=1, PROC=2 
PMAP C Call PROG=100004, VERS=1, PROC=2 


Objective: Examine traffic when a NIS client is unable to access the NIS Server software 


Configuration: The NIS Server is station jackiemac.support.apple.com, IP address 
130.43.4.76. The client is color, IP address 130.43.4.31. 


Procedure: Load the file: C\CAPTURE\TC103\NOYPSERV.ENC. Press F3, then arrow 
down to the Network Stations layer. Move to the left to Objects and 
Symptoms and press Enter. Arrow down to the station “color.” Press F2 to 
Filter & display on that network station. 
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Exercise Two (cont’d) 
1. What program is the client software trying to find in frames 2-7? 


2. Does the client software ever get a response to these queries? 


3. In frame 18, the user tries to PING from the host that is supposed to be running the 
NIS Server to her machine. Does this work? What does this tell you about the link 
between the two machines? 


4. In frame 249, the user tries a different naming protocol. What protocol is that? 
Does this method of mapping IP addresses to names and vice versa seem to work? 


5. What are some possible explanations for the client not being able to access the NIS 
Server software? 
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Troubleshooting 
Exercises 
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The SUNHANG Troubleshooting Exercise 


Problem: A Sun hangs in the middle of a session 
Hint(s): 1. Packets 1-3 illustrate the basic problem 


2. Suns apparently simply reverse the “source” and “destination” physical 
addresses when replies need to be sent to a sending host. Interference 
in the form of a conversation with a third party host can force a host to 
have to look in its ARP cache for an address 


3. Draw a picture of the hosts and the process (port) numbers 
Load the trace file C\CAPTURE\TC103\SUNHANG.ENC and press F3 twice. 


1. Turn on DLC addresses. (This option is located to the right of Summary window.) Using the Manage names 
function, change Sun07972C to Sun_Olympus, Sun076A03 to Sun_Atlantis, and Intrln0591A2 to MICOM_TS. 
Now press F3. 


2a. What problem does packets 1-3 illustrate? 


2b. Press F3 to access the Expert Window, move to NETWORK STATIONS and press Enter in the Diagnoses 
collumn. What is the diagnosis? 
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The SUNHANG 
Troubleshooting Exercise (cont'd) 
3. What is happening in packets 4-6? ; 


4. What is happening in packets 7-15? 
5. Does the “root” account on Sun-07972C (SUN_OLYMPUS) have a password? 
6. What did the user type to create packets 39-48? 


7. What happens in packets 52-94? 


Network 
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_ The SUNHANG 
Troubleshooting Exercise (cont’a) 


8. What happens in packets 99-111? 

9. What is odd about packet 112? 

10. What is INTRLN 0591A2’s (MICOM_TS) reaction to packet 112? 
11. Compare packets 98 and 112. What do you notice? 


12. What has happened at this point? 


Network 
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ee A 
The SUNHANG 
Troubleshooting Exercise (cont'd) 


13. Which packet is packet 115 acknowledging? 


14. Explain packet 116. 


15. Explain packets 117 - 126. 


16. What happens in packets 130-133? 


17. How can this problem be fixed? 
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The Frags Troubleshooting Exercise 
Objective: Investigate NFS, NIS, ARP, and PortMapper behavior on a network that i 


experiencing physical layer problems. 


NeXT 00575B 
192.9,200,209 | 


Sun 0OD9CE 
192.9,200, 208 
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Sniffer 


Sun 06CCA4 
192.9.200.203 
host name = natco-4 


NES Server 


Sun 06BS2A 
192.9.200.200 
NIS Server 
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Sun 0016AE 
192.9,200.201 


Sun OOBSE3 
192.9,200.202 


Sun 06B773 _ 
192.9,200.204 


host name = natco-3 


NIS Server 
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— ee 8 ey, 
The Frags Troubleshooting Exercise (cont'd) 


Trace File = C\CAPTURE\TC103\FRAGS.ENC 


Hint: Turn on the Flags display option to see indications of physical and data link layer 
problems. 


Study the first part of the trace to better understand normal traffic on this network. 


1. Approximately how long does the NFS Server usually take to reply to a Read command? 


2. In frames 21-52 what inefficiencies do you notice? 


Are these inefficiencies due to retransmissions at the application, session, transport, or data link layer? 


3. In frames 1-941 approximately what percentage of the frames are damaged, i.e. runt packets or CRC errors? 


Network 
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The Frags Troubleshooting Exercise (coni’a) 


Now study the last part of the trace to better understand the problems on this network. 
4. In frames 942 - 1173 approximately what percentage of the frames are damaged, i.e. runt packets or CRC errors? 


5. Notice the long delta time between frames 941 and 942. If you were troubleshooting this network, what would you 
ask yourself when you see a long delta time like this on the Sniffer? 


6. What is the last frame that we see from the NFS Server? 


7. Study frames 942-954. What is the NFS client software trying to do in these frames? 


Which frames are retransmissions due to: 
DLC errors? 

NFS timeouts? 

User actions? 


8. Which host is PC150 trying to find in frames 955-961? 


Network 
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The Frags Troubleshooting Exercise (cont'd) 


10. 


Li, 
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In addition to ARPs, what other types of commands does the NFS client software on 3Com 2A4DOD (PC150) 
send while trying to establish communications with the server in frames 955-981? 


In frame 969, what service is the client software trying to find? (Hint: If necessary, look at the list of 
registered RPC programs in the RPC section of your manual.) 


Are the NIS (Yellow Pages) servers still responding to messages? 


. In what frame does the client software restart its attempt to find the NFS server by sending ARPs? 


. Go to frame 1019. Turn on the HEX window if you haven't already. Frame 1019 is a legal length frame, so 


the Sniffer does not call it a runt packet. However, it is quite possible a collision did occur causing this frame 
to get damaged. Note the 55s at the end of the frame. What might cause these? (Hint: remember your 
Ethernet basics!) 
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The Frags Troubleshooting Exercise (cont’a) 


14, Frame 1019 and 1020 both got damaged. In frame 1021, PC150 finally manages to send the frame. What is 
the purpose of this frame and the response in frame 1022? 


15. Go to frame 1041. In this frame PC150 broadcasts a message to find out what the subnet mask is. Based on 
the responses, what is the subnet mask for this network? 


16. Scroll through the rest of this trace and observe PC150’s attempts to establish communications with the NFS 
file server. Does PC150 ever successfully communicate with the NFS server? 


17, Remember the long delta time between frames 941 and 942? What might have happened during the time 
between frames 941 and 942 to cause the network behavior we see in the rest of the trace? 
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RC 
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Delta T 


206.9528 
0.0003 
0.7178 
3.0759 
0.0002 
0.0003 
0.0002 
0.0026 
0.0242 
0.0114 
0.0499 
12.2696 
0.0003 
26.8879 
3.4793 
35153 
0.0002 
0.0002 
0.0007 
0.0034 
3.5112 
0.0003 
0.1164 
0.0003 
0.0476 
0.0005 
0.0002 
0.0141 
0.0185 
0.1315 
0.0007 
0.0727 
0.0006 
0.0003 
0.0001 
0.0021 
0.0029 
0.0002 
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Frags Frames 942-979 


Destination 


[0.0.0.0] 
natco-4 
natco-4 
natco-4 
[85.85.85.85] 
[0.0.0.0] 
natco-4 
[105.245.0.0] 
natco-4 

Sun 06CCA4 
natco-4 

Sun 06CCA4 
natco-4 


192.9.200.0] 
[192.9.200.0] 


Source 


[2.0.0.0] 

pe150 

pe150 

pce150 
[85.85.85.85] 
[85.85.85.0] 
pce150 
[3.0.90.56] 
pce150 

3Com 2A4D0D 
pe150 

3Com 2A4D0D 
pe150 

3Com 2A4D0D 
3Com 2A4D0D 
3Com 2A4D0D 
3Com 2A4D0D 
3Com 2A4D0D 
3Com 2A4D0D 
3Com 2A4D0D 
pce150 

pel50 


[255.255.255.255] pe150 
[255.255.255.255] pc150 


Sun O0D9CE 
pe150 

pel50 
[192.9.200.0] 


3Com 2A4D0D 
pel50 

pce150 
[192.9.200.200] 
[113.208.0.0] 
pe150 


3Com 2A4D0D 
[192.9.200.208] 
[192.9.200.208] 


pcel50 
[192.9.200.200] 
3Com 2A4D0D 
[192.9.200.201] 
3Com 2A4D0D 
Sun 06B52A 
[192.9.200.204] 
[192.9.200.209] 
pe150 
[16.0.90.49] 
[192.9.200.200] 
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Summary 


IP INCOMPLETE HEADER -- CANNOT INTERPRET 
NFS C Lookup wpS0 in F=E71D 

NFS C Lookup wpS0 in F=E71D 

NFS C (Frame too short, or truncated) 

IP D=[85.85.85.85] S=[85.85.85.85] LEN=0 ID=20235 
IP INCOMPLETE HEADER -- CANNOT INTERPRET 
RPC C XID=537201237 PROG=? VERS=1431655765 PROC=143 1655765 
IP INCOMPLETE HEADER -- CANNOT INTERPRET 

RPC C XID=537201 237 PROG=? VERS=1 431655765 PROC=143 1655765 
DLC BAD FRAME, Ethertype=0800, size=14 bytes 

NFS C Lookup wp50 in F=E71D 

DLC BAD FRAME, size=13 bytes 

NFS C Lookup wp50 in F=E71D 

ARPC PA=[192.9.200.203] PRO=IP 

ARPC PA=[192.9.200.203] PRO=IP 

ARPC PA=[85.85.85.0] PRO=IP 

ARPC PA=[192.81.85.85] PRO=IP 

ARPC PA=[85.85.85.0] PRO=IP 

ARPC PA=(85.85.85.0] PRO=IP 

ARPC PA=[192.9.200.203] PRO=IP 

UDP D=9 S=9 LEN=22 

UDP D=9 S=9 LEN=22 

ICMP C Get address mask 

ICMP C Get address mask 

ARPR PA=[192.9.200.150] HA=02608C2A4D0D PRO=IP 
ICMP R Address mask = [95.85.85.85] 

ICMP R Address mask = [255.255.255.0] 

PMAP C Call PROG=100004, VERS=1, PROC=2 

PMAPR PORT=1027 

ARPR PA=[192.9.200.150] HA=02608C2A4D0D PRO=IP 
RPCR XID=656326816 

ARPC PA=(192.9.200.200] PRO=IP 

ARP R PA=[192.9.200.200] HA=08002006B52A PRO=IP 
RPCR XID=656326816 

ICMP R Address mask = [255.255.255.0] 

PMAP C Get port PROG=100007, VERS=2, [P=17 

IP INCOMPLETE HEADER -- CANNOT INTERPRET 
PMAPR PORT=1035 
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NetBIOS/SMB 


Network 
General 
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e 
The IBM PC LAN Program 


. O Network INT 2A 
qsts Control INT 2 


INT INT 2A 
INT 2F 


Create 
SMB 


AOCOD 0 DW |i 
HOCOO4+ 0 


z 


we 
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NetBIOS 


NetBIOS Service 


Session Management 

Full-Duplex Transmission 
¢ Error Control 

Flow Control 


Virtual Circuits 
Datagrams 
Connection Management 
Source Routing 
OSI 7-Layer 
Model 


¢ NetBIOS on TCP/IP Interface Defined in RFCs 1001 and 1002 


L 


Network 
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NetBIOS Name Service Commands 


Command Function 


. MSG.ADD.NAME Adds a unique name to a station's 
name table 


. MSG.ADD.GROUP.NAME Adds a group name to a station's 
name table 


. MSG.DELETE.NAME Removes a name from a station's 


name table 


. MSG.FIND.NAME Determines the location(s) or a 
specified name. Returned 
information is used for source 
routing 


Network 
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NetBIOS Session Service Commands 
Command Function 
. MSG.CALL Open a session 


. MSG.LISTEN Enable a session to be opened with a name specified 
in a command 


. MSG.HANG.UP Close a session 
. MSG.SEND Send data to a session partner 


. MSG.CHAIN.SEND Send two chained buffers to a session partner 


. MSG.RECEIVE Receive data from a session partner 


. MSG.RECEIVE.ANY Receive data from any session partner 


. MSG.SESSION.STATUS Obtain status of one or all sessions for a given name 


Network 
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NetBIOS Datagram Service Commands 


Command Function 


. MSG.SEND.DATAGRAM Send a datagram 
. MSG.SEND.BROADCAST. DATAGRAM Send a broadcast datagram 
. MSG.RECEIVE.DATAGRAM Receive a datagram 


. MSG.RECEIVE.BROADCAST.DATAGRAM Receive a broadcast datagram 


Network 
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NetBIOS Status and Control Commands 


Command Function 
. MSG.RESET Resets the NetBIOS interface 
. MSG.CANCEL Cancel a Command 
. MSG.STATUS Determine the status of the NetBIOS interface 
. MSG.UNLINK Provided for compatibility with an earlier version 
. MSG.TRACE Activate a trace of all commands issued to the 


NetBIOS interface and NetBIOS transmits and 
receives 


Network 
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Name Service Packet Format 


Name Transaction ID A unique value inserted by the requestor and duplicated by the 
responder which identifies a transaction. Transactions may 
consist of multiple requests and responses 


OPCODE Identifies the type of packet: 
= que 
5= i istration 
6 = release 
7 = wack 
8 = refresh 


NM Flags Various flags to indicate whether: 
- broadcast or unicast ; 
- recursion available and/or desired 
-packettruncated | Treen ae 
- whether the answer if authoritative (if it is an answer!) 
Request results code (varies based on request) 
The number of question entries 


The number of answer entries 


The number of authority entries 


The number of additional entries 


Network 
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Flags 


16 Length 


Variable Trailer 
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00 = Session message 
81 = Session request 


82 = Positive session response 

83 = Negative session response 
84 = Retarget session response 
85 = Session keep alive 


Bits 0 - 6: Must be zero (reserved for future use) 
Bit 7: Length extension bit 


The number of bytes following this field 


Packet type-dependent information 
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SMB: Server Message Block 


¢ A file-sharing protocol 


e Similar to NFS in that it consists of a series of 
remote procedure calls 


¢ All messages have a common format 


Network 
General 
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SMB_IDF OxFF “SMB” 

SMB_COM Command Code 

SMB_RCLS Error code class 

SMB_REH Reserved (contains AH if DOS INT-24 err) 
SMB_ERR Error code 

SMB_REB Reserved 

SMB_RES Reserved 

SMB_TID Tree ID (a connection ID) 

SMB_PID Caller’s process ID (like a port number) 
SMB_UID User ID number 

SMB_MID Multiplex ID number 

SMB_WCT Count of parameter words 

SMB_VWV Variable number words of params 
SMB_BCC Number of bytes of data which follow 
SMB_DATA Data bytes 


— 
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SMB File Sharing Connections 


Net Share —— 
Consumer Server 
—  NetUse -—> 
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Create File 
Close File 
Flush File 


Read 

Write 

Seek 

Create Directory 
Delete Directory 
Delete File 
Rename File 

Get File Attributes 
Set File Attributes 
Lock Record 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Obtains a file handle for a data file 


Creates a new data file, or truncates an existing one 


Invalidates a file handle for the requesting process 


Ensures that all data and allocation information for a file has been 
written to non-volatile storage 


Read bytes of a data file 

Write bytes into a data file 

Sets the current file pointer for the requesting process 
Creates a new directory 

Deletes an empty directory 

Deletes a data file 

Changes the name of a file 

Obtains information about a file 

Changes information about a file 

Locks a given byte range 


————_———— 
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SMB File Sharing Commands (cont'd) 


Unlock Record Unlocks a given byte range 


Create Temporary File Creates a temporary file 


Process Exit Informs the server that a consumer process has terminated 
Make New File Creates a new file; will fail if file already exists 


Check Path Verifies that a path exists and is a directory 


Get Server Attributes Determines total server capacity and remaining free space 

Negotiate Protocol Allows a consumer to specify dialects that can be used for communication 
File Search Searches directories for a file 

Create Print File Creates a new print file 

Close Print File Invalidates the specified file handle and queues the file for printing 

Write Print File Appends the data block to the print file specified by the file handle 


Get Print Queue Obtains a list of the elements currently in the print queue on the server 


\ 
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Exterior 
Gateway 
Protocol (EGP) 
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Exterior Gateway Protocol (EGP) 


¢ Used to exchange network reachability information between 
autonomous systems 


e A router on the “border” of one autonomous system acquires 
a peer router that is on the “border” of a different 
autonomous system : 


e One use for EGP is for an autonomous system to reach a 
Core gateway 


¢ Supports a hierarchical topology - only a single path is 
usable from one device to another in the internetwork 


¢ RFC 904 


Network 
General 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 Miscellaneous - 17 


© Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


Exterior Gateway Protocol (EGP) 


e Runs above IP 
e IP protocol type = 08 
¢ To filter on EGP with the Sniffer, use a pattern match filter: 


Pattern = 08 
Offset = 17 


Network 
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EGP Header Format 
Field N ee 


Update Response/ Indication 
Message Type 


Poll Command 
Varies depending on Message Type 


- Neighbor Acquisition Message 
Status Varies depending on Message Type; usually has one of these values: 

“0” unspecified 
eg Up state 
ed Down state 

16 

16 

16 


its) 


Neighbor Reachability Message 
Error Response/ Indication 

16-bit one's complement of the one's complement sum of the EGP message 

Autonomous number that identifies the autonomous system, assigned by the NIC 

System Number 


Used to match a reply to a command 
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Three Phases of the EGP 


¢ Neighbor Acquisition 
— A router asks another router (in a different autonomous system) to 
become an EGP neighbor (peer). 
— The routers negotiate how often they should keep in contact. 
— One router is designated as the active peer. 


¢ Neighbor Reachability 
— The active peer determines if its neighbor is still functional by 
periodically sending Hello packets. The peer should respond with 
an IHU (I hear you) message. If the peer doesn't respond to a 
certain percentage of the Hello packets, it is considered down. 


6 N etwork Reachability 
The active peer periodically sends Poll commands to its peer. 
— The peer should respond with an Update response specifying the 
networks it can reach. 
— The active peer also sends unsolicited Updates to its peer. 


twork 
General 
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Pees 
en 


Neighbor Acquisition 


Will you be my neighbor? Neighbor 
Acquisition Message (type = 3). 
Request command (code = 0). 


I’m configured to be active. 
My autonomous system number = 70. 


I'd like to send hellos every 30 
seconds and polls every 120 seconds. 
————S$ 


Autonomous 
System 90 


Autonomous 
System 70 


I’d love to be your neighbor. 
Neighbor Acquisition Message (type = 3). 
Confirm response (code = 1). 


—_——_— 4 


I’m configured to be active also, but I’ll act 
passive since I have a higher system number. 


My autonomous system number = 90. 
Active Peer : 
I'd like you to send hellos every 60 seconds 


and polls every 180 seconds. 


Network 
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Neighbor Reachability 


Hello? Neighbor Reachability Message 
(type = 5). Hello command (code = 0) 


I’m down. (Status = 2.) 
My autonomous system number = 70. 


—————— 
Autonomous Autonomous 


System 90 


<t——— [ hear you. Neighbor Reachability Message = 


(type = 5). IHU (code = 1) 
My autonomous system number = 90. Bl 


Active Peer Passive Peer 


I’m up. (Status = 1). 


a 
Network 


TCP/IP Network Analysis and Troubleshooting - 6/94 Rev. 4.4 Miscellaneous - 22 General 


eal 


Copyright 1990 - 1994 Network General Corporation. All rights reserved. 


eae - 
Network Reachability 


Send me your routing table 
please. Poll (type = 2). 
My status is up (1). 
My autonomous system 
number = 70. 
The address of the network we 
share in common is 128.19.0.0 
Nem cam 
Autonomous network 128.19.0.0 Autonomous 
System 70 System 90 


Here’s my routing table. Update 
message (type=1). 

My status is up (1). My autonomous 
system number = 90. 


The address of the network we share in 
common is 128.19.0.0. 


Active Peer 


Passive Peer 


Here are all the gateways I can get to 
and the networks they can get to. Also 
included is the distance to those 
networks from the network that we 
share in common. 


Network 
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© 
Network Reachability Example 


network 128.20.0.0 


Autonomous 


Autonomous 
System 70 


System 90 


network 128.19.0.0 


Active Peer Passive Peer 


Router D runs EGP and sends the following information to its peer. 

Update message (type=1). My status is up (1). My autonomous system number = 90. 

I know about 3 internal gateways (including myself). 

The address of the network we share in common is 128.19.0.0. 

Gateway D's IP address on network 128.19 is x.x. For networks reachable from Gateway D: 
— For distance = 1 hop (from our common network), there is one network - 128.23.0.0. 

Gateway A's IP address on network 128.19 is x.x. For networks reachable from Gateway A: 
— For distance = 1 hop (from our common network), there is one network - 128.20.0.0. 

Gateway B's IP address on network 128.19 is x.x. For networks reachable from Gateway B: 
— For distance = 1 hop from our common network, there is one network - 128.21.0.0. 


network 128.22.0.0 


— For distance = 2 hops from our common network, there is one network - 128.22.0.0. \ 
Network 
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LAN Analysis Tools 


Expert Sniffer® Network Analyzer 


Foundation Manager™ 


Network 
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LAN Segment 


e Automatic identification of common network 
problems at all seven OSI layers in real-time 


e Top-down view of the network, providing a 
end-user perspective 


e Real-time configuration “learning” 


e Explanations that recommend solutions to 
problems 


Network 
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vs 
ee 


LAN Segment 


¢ Full 7-layer protocol analysis : 
¢ Complete suite of network protocols 

¢ All popular network topologies 

¢ Local and wide area network connections 


¢ Advanced Monitoring: statistics, alarms and reports 


Network 
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LAN and WAN Connections 


Extending the benefits of network analysis to the wide area 
LAN Segment 
Wide Area Network 
Bridge/Router a 
¢ Full 7-layer protocol analysis on your WAN: 


Enables improved applications performance 
— Leads to decreased monthly line costs 
— Consistent user interface eliminates additional user training pan 
— Dual LAN/WAN support minimizes customer investment 


@ 
Network 
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TeleSniffer 


¢ TeleSniffer software (DCA Remote) is 
included with every Sniffer to allow remote 
access to the analyzer via RS-232 media, 
either with a direct connection or modem 
interface. 


¢ Access may be gained using TeleSniffer 
Remote Software on most PC compatibles 
using popular modems. 


= onodem 
Ge 


ey, Cee aon 
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Distributed Sniffer System 


Sniffer Server 


San Francisco 


Sniffer Server 


SniffMaster 
Console 


Sniffer Server 


SniffMaster 


Sniffer Server Console 


La 
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SniffMaster Console 


¢ Provides simultaneous access to up to 30 Sniffer Servers 

¢ Consolidates alarm information from multiple Sniffer Servers 
¢ Downloads updates and new applications to Sniffer Servers 

¢ Provides centralized printer support 

¢ Both Ethernet and Token Ring Consoles are supported 


¢ The SniffMaster Console is available as a turn-key system or as 
a software-and-interface-board kit for use on any standard PC. 
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¢ Runs ona Sun SPARCstation with SunOS 4.1.x or later 
¢ Based on X-Window (X11.R4) and Motif Graphical User Interfaces (GUI) 
¢ Simultaneous views of multiple Sniffer Servers 


¢ Mouse and Icon control of Sniffer Servers 


¢ Consolidated alarm log, using a separate window called the Alarm Viewer 
¢ Support for SNMP Traps 
¢ Communicates with Sniffer Servers using TCP/IP 


Network 
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Sniffer Servers 


¢ Network interfaces for Ethernet, Token Ring and WAN. 


e Analysis and Monitoring Applications for problem solving 
and performance optimization. 


e Servers communicate with multiple SniffMaster Consoles. 


e Statistics, alarms, and protocol information are stored on the 
Server to minimize network traffic. 


e Servers communicate with consoles through bridged and 
routed networks 


Network 
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Sniffer and DSS Functional Differences 


Sniffer CSS 
External triggers (COM1) | — Printing to LPT1 or LPT2 
Audible clicks 


Token Ring speed change 
through software switch 


Printing to LPT1 or COM1 
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How to Contact Network General 


¢ Technical Support Hotline 
(800) 395-3151 
FAX: 415-327-9436 
Internet: support@ngc.com 
CompuServe: type GO NETGENERAL at any ! prompt 


¢ SniffNet Bulletin Board 
(415) 327-4782 £300-14,400 bps, 8, N, 1 


¢ HAVE YOUR SERIAL NUMBER READY! 
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Glossary of Terms 
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1BASES5 


10BASE2 


10BASES5 


10BASE-T 


3Com 3+ 


3Plus 


802.2 


802.3 


802.4 


802.5 


AARP 


AC 


Glossary 


The implementation of the IEEE 802.3 (StarLAN) standard using 1 
megabit per second transmission on a baseband medium whose maximum 
segment length is 500 meters. 


The implementation of the IEEE 802.3 (Ethernet) standard using 10 
megabit per second transmission on a baseband medium whose maximum 
segment length is 185 meters. 


The implementation of the IEEE 802.3 (Ethermet) standard using 10 
megabit per second transmission on a baseband medium whose maximum 
segment length is 500 meters. 


The implementation of the IEEE 802.3 (Ethernet) standard using 10 
megabit per second transmission on a baseband medium. The standard 
provides a means for attaching AUI-compatible devices to 24 gauge, 
unshielded twisted pair cable, instead of the usual coaxial media. 


A networking system from 3Com Corporation using parts of the XNS 
and Microsoft/IBM PC LAN program protocols. 


3Com’s implementation of XNS. Interpreted by the XNS PI suite. 


The IEEE standards designation for the LLC sublayer protocol that 
provides both datagram and reliable connection transmission. 


The IEEE standards designation for the CSMA/CD network access 
method. Similar to (and often used interchangeably with) Ethernet. 


The IEEE standards designation for token bus networks. Used primarily 
with MAP protocols. 


The IEEE standards designation for the token ring network access 
method. 


AppleTalk Address Resolution Protocol. For outgoing packets, supplies 
the 

hardware destination address corresponding to a higher-level protocol 
address, and filters incoming packets to pass only those that are 
broadcast or specifically addressed to it. Interpreted in the AppleTalk PI 
suite. 


Access control. A DLC byte on IEEE 802.5 token ring networks that 
contains the token indicator and frame priority information. 
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ACSE 


ACTPU 
ACK 


active monitor 


ACT 


ADSP 


advertising 


AEP 


AFP 


ALAP 


alarm 


alert 


APPC 


Glossary 


Association Control Service Element. An ISO application-level protocol 
interpreted in the ISO PI suite. 


Activate Physical Unit. An SNA message sent to start a session. ie 
Acknowledge. A network packet acknowledging the receipt of data. —_ 
A computer on a token ring that acts as the controller for the ring, _ 
regulating the token and other performance aspects. 

a, 
Absolute Congestion Threshold. Frame Relay term. 
AppleTalk Data Stream Protocol. A connection-oriented protocol a 
providing a reliable, full-duplex, byte-stream service between any two 
sockets on an AppleTalk internet. Interpreted in the AppleTalk PI suite. “™ 
The process by which a service makes its presence known on the — 
network. Typically provided through some sort of LAN-based multicast. 
AppleTalk Echo Protocol. See Echo. 
AppleTalk Filing Protocol. A presentation-level protocol for access to a 
remote files. Interpreted in the AppleTalk PI suite. 

a 
AppleTalk Link Access Protocol. See LAP. 

an 


Network statistics sent from a DSS Server to a connected Console over a 
LAN or WAN. Triggered by the monitor or analyzer application on the 
Server when network statistics exceed certain thresholds. Consists of the 
name of an offender, a timestamp, and an alarm priority threshold. 


Notification of an alarm condition. Sent from a DSS Server to non- 
connected unit such as a pager or a Console. Consists of a numeric 
identifier and a numeric value of the alarm threshold. 


Application Program Interface. The specification of functions and data 
used by one program module to access another; the programming en 
interface that corresponds to the boundary between protocol layers. 


a, 
Advanced Program-to-Program Communications. A communications 
system used to communicate between transaction programs on IBM 
computers; APPC uses the LU 6.2 subset of SNA. ao 
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architecture 


ARCNET 


ARP 


ASCII 


ASN.1 


ASP 


asynchronous 


ATP 


AUI 


backbone 


background services 


Glossary 


The architecture of a system refers to how the system is designed and 
how the components of the system are connected to, and operate with 
each other. 


A baseband token-passing network originally designed by the Datapoint 
Corporation that communicates among up to 255 stations at 2.5 Mbps. 


Address Resolution Protocol. 

(1) A protocol within TCP/IP for finding a node’s DLC addresses from 
its IP address. Interpreted in the TCP/IP PI suite. 

(2) Interpreted in the Banyan VINES PI suite. 


American Standard Code for Information Interchange. A mapping 
between numeric codes and graphical characters used almost universally 
for all personal computer and non-IBM mainframe applications. 


Abstract Syntax Notation One. A set of conventions governing the ISO 
presentation layer. Interpreted in the ISO PI suite. 


AppleTalk Session Protocol. A general protocol, built upon ATP, 
providing session establishment, maintenance, and tear-down, along with 
request sequencing. Interpreted in the AppleTalk PI suite. 


A method of data transmission which allows characters to be sent at 
irregular intervals by preceding each character with a start bit and 
following it with a stop bit. Commonly used to communicate with 
modems and printers. 


AppleTalk Transaction Protocol. Provides a loss-free transaction service 
between sockets, allowing exchanges between two socket clients in 
which one client requests the other to perform a particular task and 
report the result. Interpreted in the AppleTalk PI suite. 


Attachment Unit Interface. Drop cable for Ethemet between station and 
transceiver. 


The backbone is the part of the communications network which carries 
the heaviest traffic. It is one basis for design of the overall network 


service. 


A protocol transmitted by a Matchmaker frame in Banyan VINES. 
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Glossary 

background task A secondary job performed while the user is performing a primary task. 

For example, many network servers will carry out the duties of the en 

network (controlling communications) in the background while at the 

same time the users are running their own applications (such as word a 

processors). | 
bandwidth The amount of data that can be moved through a particular eo 

communications link. For example, Ethernet has a bandwidth of 

10Mbits/s. — 
baseband A transmission technique that sends data bits without using a much aa 


higher carrier frequency (contrast with broadband). The entire bandwidth 
of the transmission medium is used by one signal. 


baud rate A measure of signaling speed in data communications. Specifies the 
number of signal elements that can be transmitted each second. For most 
purposes, at slow speeds, a baud rate is the same as the speed in bits per 


ie, 


second. a 
BCC Block Check Character. Another word for Frame Check Sequence. a 
beacon A token ring packet that signals a serious failure on the ring. or 
BECN Backward Explicit Congestion Notification. The sixth bit in the second 
octet of the frame relay header. Used to inform a subscriber device of  “™ 
congestion in the backward direction. 
BER Bit error rate. The percentage of received bits in error compared to the 
total amount of bits received. Usually expressed exponentially. pom 
BERT Bit error rate test. Test used to ascertain the bit error rate on a given ay 
wide-area link. 
BIND An SNA message sent to activate a session between LUs. a 
bipolar The predominant signaling method used for digital transmission services, «™ 
such as DDS and T1. 
BIS Bracket Initiation Stopped. An SNA message sent to indicate that the 
sending station will not attempt to initiate any more brackets. ae 
BNC A standardized coaxial cable connector; used for Thin Ethernet 
(“Cheapernet”) cables and ARCNET networks. o~ 
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BOOTP 


breakout box 


bridge 


broadband 


broadcast 


buffer 


bursty traffic 


capture 


CCITT 


CGA 


Glossary 


Boot Protocol. A protocol within TCP/IP that is used for downloading 
initial programs into networked stations. Interpreted in the TCP/IP PI 
suite. 


A test device used to view the signals in an RS-232, V.35, or other 
interface. The breakout box is used to diagnose problems with the 
interface. 


A device used to connect two separate networks into one extended 
network. Bridges only forward packets between networks that are 
destined for the other network. 


A transmission technique that sends data bits encoded within a much 
higher radio-frequency carrier signal. The transmission medium may be 
shared by many simultaneous signals since each one only uses part of the 
available bandwidth. 


(1) A message directed to all stations on a network or collection of 
networks. 
(2) A destination address that designates all stations. 


A software program, storage space in RAM, or a separate device used to 
store data. For example, the Sniffer Network Analyzer’s capture buffer 
serves as a temporary storage space for captured network data until it 
can be saved to disk. 


Data communications term referring to an uneven pattern of data 
transmission. 


The process in which the Sniffer analyzer records network traffic for 
interpretation. Generally speaking, this interpretation takes place during 
display. However, the Expert Sniffer analyzer simultaneously captures 
and interprets network traffic. 


International Consultative Committee for Telephony and Telegraphy. 
CCITT is a member of the International Telecommunications Union 
(ITU) that is, in turn, a specialized body within the United Nations. It 
sponsors a number of standards dealing with data communications 
networks, telephone switching standards, digital systems, and terminals. 


Color Graphics Adapter. The interface between a personal computer and 
a medium-resolution color monitor. 
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chat script 


chat string 


CIR 


client 


CLLM 


CLNS 


CMIP 


CMOT 


compression 


concentrator 


Courier 


CRC 


Glossary 


communication parameters for an asynchronous device. 


A UNIX-style command/response sequence of characters which are 
downloaded to a serial device in order to control the device. 


Committed Information Rate. The largest number of bits per second that 
a frame relay network agrees to carry for a PVC. CIR is assigned at the 
time of subscription to the frame relay service. 


1. A module that uses the services of another module. The session layer 
is a client of the transport layer, for example. 

2. A PC or workstation that accesses services or applications from 
another “‘server” PC or workstation. 


Consolidated Link Layer Management. An access signaling protocol 
specified by ANSI for frame relay links. 


Connectionless Network Service Protocol (also called ISO IP). 
Interpreted in the ISO PI suite. 


Common Management Information and Services Protocol. When used 
with TCP/IP, it is also known as CMOT. 


Common Management Information and Services Protocol Over TCP. A 
management protocol for networks; it uses ASN.1 encoding. Interpreted 
in the TCP/IP and ISO PIs. 


Reducing the bandwidth or bits necessary to encode information. 


A central point for connecting many individual stations to a network ring. 
Found most often on FDDI networks. 


A presentation-level protocol in XNS (similar to RPC in the Sun protocol 


family); it delivers data to such application-level protocols as XNS 


Printing, XNS Filing, or XNS Clearinghouse. 


Cyclic Redundancy Check. A check-word, typically two or four bytes at 
the end of a frame, used to detect errors in the data portion of the frame. ae 
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oe group of three chat strings (Setup, Listen, and Disconnect) that control _ 


a 


an, 


i. 


ae 


CSMA/CA 


CSMA/CD 


CTERM 


DAC 


DAP 


DAS 


DB-9 


DB-15 


DB-25 


DCE 


DDP 


Glossary 


Carrier Sense Multiple Access with Collision Avoidance. A random 
access or contention-based control technique; the algorithm used in 
LocalTalk networks to control transmission. 


Carrier Sense Multiple Access with Collision Detection. A random access 
or contention-based control technique; the algorithm used by IEEE 802.3 
and Ethernet networks to control transmission. 


Command Terminal. A protocol within DECnet for communicating with 
generic intelligent terminals, that is, a virtual terminal protocol. 
Interpreted in the DECnet PI suite. 


Dual Attachment Concentrator. A concentrator that offers two 
connections to the FDDI network capable of accommodating the FDDI 
dual ring, and additional ports for connection of other concentrators or 
FDDI stations. 


Data Access Protocol. The DECnet protocol that provides remote file 
access. Interpreted in the DECnet PI suite. 


Dual Attachment Station. An FDDI station that offers two connections 
to the FDDI dual counter-rotating ring. 


A 9-pin standardized connector used in personal computers for a token 
ring network connection (female), serial I/O port (male), and RGBI 
output. Also used for LocalTalk. 


A 15-pin standardized connector used at the transceiver, the drop cable, 
and the station of IEEE 802.3 or Ethernet network components. 


A 25-pin standardized connector used in personal computers for parallel 
output ports (female connector on IBM PC chassis) or for serial I/O 
ports (male connector on IBM PC chassis). 


Data Circuit-terminating Equipment (also called Data Communications 
Equipment). On a serial communications link, the device that connects 
the DTEs into the communication line or channel. 


Datagram Delivery Protocol. Extends the services of the underlying LAP 
protocol to include an internet of interconnected AppleTalk networks, 
with provision to address packets to sockets within a node. Interpreted in 
the AppleTalk PI suite. 
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a, 
DE Bit Discard Eligibility Bit. The seventh bit of the second octet of the frame 
relay header. A value of 1 in the DE bit indicates that the frame is eligible _ 
for discard by a congested network. 
destination address That part of a message which indicates for whom the message is a 
intended. Usually a collection of characters or bits. Just like putting a 
destination address on an envelope. _ 
DFC Data Flow Control. An SNA subprocess for reliable message transfer. << 
diagnosis A problem on the network detected by the Expert Sniffer analyzer. The 
Expert Sniffer analyzer detects and alerts users to diagnoses as it 
discovers them on the network to which it is attached. ay 
DIP switch Dual In-Line Package. A small switch usually attached to a printed circuit 
lm 


board. Usually requires a small screwdriver to change. There are only 
two settings— on or off. Printed circuit boards usually have “banks” of 
multiple DIP switches used to configure the board in a semi-permanent 


way. 
DIS Draft International Standard. One of the stages in defining ISO protocols. 
Final stage is IS. es 
DISC Disconnect. An LLC non-data frame indicating that the connection 
established by an earlier SABM or SABME is to be broken. ao 
display The process in which the Sniffer analyzer interprets the traffic recorded 
during capture. During display, the analyzer decodes the various layers of 
protocol in the recorded frames and displays them as English pon 
abbreviations or summaries. 
DIX DEC/Intel/Xerox. Used to refer to an early version of Ethernet. Se 
DLC Data Link Control. The lowest protocol level within the transmitted ~ 
network frame; fields typically include the Destination address, and 
Source address, and perhaps other control information. aim 
DLCI Data Link Connection Identifier. 10-bit number used by the Frame Relay _. 
protocol to identify a virtual circuit. 
Ctl 
DLL 1. Downline load. A protocol within the Datapoint RMS family used for 
downloading initial programs into networked stations. 
FN 
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DM 


DNS 


DOS 


DRP 


DSAP 


DTE 


duplex 


El 


EBCDIC 


Echo 


Glossary 


2. Dynamic Link Library. A type of program library used in MS- 
Windows. 


Disconnected Mode. An LLC message acknowledging that a previously 
established connection has been broken. 


Domain Name Service. A protocol within TCP/IP for finding out 
information about resources using a database distributed among different 
name servers. Interpreted in the TCP/IP PI suite. 


Disk Operating System. The most common operating system for IBM- 
compatible personal computers. 


DECnet Routing Protocol. The lowest-level DECnet protocol, concerned 
with moving packets from endnodes through routers to other endnodes. 
(“Routing” in DNA terminology corresponds to the ISO model’s 
“Network” layer). 


Destination Service Access Point. The LLC SAP for the protocol 
expected to be used by the destination station in decoding the frame data. 


Data Terminal Equipment. On a serial communications link, a generic 
term used to describe the host or end-user machine. 


Characteristic of data transmission. Either full or half duplex. Full permits 
simultaneous two-way communication. Half means only one side can talk 
at a time. 


A digital transmission link with a capacity of 2.048 Mbps (CCITT 
version of T1). 


Extended Binary-Coded-Decimal Interchange Code. A mapping between 
numeric codes and graphical characters used for IBM mainframe 
computers and communications protocols defined by IBM. 


(1) A request/response protocol within XNS used to verify the existence 
of a host. 

(2) A protocol within AppleTalk that allows any node to send a datagram 
to any other node and to receive an echoed copy of that packet in return 
to verify the existence of that node or to make round trip delay 
measurements. Interpreted in the AppleTalk PI suite. 

(3) A protocol transmitted by a Matchmaker frame in Banyan VINES. 
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EGP 


EIA 


ELAP 


EPROM 


Error 


error rate 


ES-IS Routing 


Ethernet 


Ethertype 


FC 


FCS 


FDDI 


FECN 


Glossary 


Exterior Gateway Protocol. A protocol within TCP/IP used to exchange 
routing information among gateways belonging to the same or different 
systems. A generalization of GGP. 


. a. 
Electronic Industries Association. A standard organization specializing in 
the electrical and functional characteristics of interface equipment. 


See LAP. 

Come 
Erasable Programmable Read Only Memory. A read-only memory device 
which can be erased and reprogrammed. EPROMs do not lose their Pom 
memory when power is shut off. 


a, 
A protocol within XNS by which a station reports that it has received 
(and is discarding) a defective packet. Interpreted in the XNS PI suite. 

ar, 
In data transmission, the ratio of the number of incorrect elements 
transmitted to the total number of elements transmitted. —_ 


End-System to Intermediate-System Routing. A protocol within the ISO _. 
family used to exchange routing information between gateways and 
hosts. Interpreted in the ISO PI suite. 


A CSMA/CD network standard originally developed by Xerox; similar to 


(and often used interchangeably with) the IEEE 802.3 standard. —_ 
A 2-byte protocol-type code in Ethernet frames used by several a 
manufacturers but independent of the IEEE 802.3 standard. 

_ 
Frame control. On a token ring network, the DLC byte that contains the 
frame’s type. ma 
Frame check sequence. A redundant check field used to increase the 

a 


probability of error-free transmission on the network. 


Fiber Distributed Data Interface. ANSI/ISO standards that defines a am. 
100Mb/s LAN over a fiber-optic media using a timed token over a dual 
ring of trees. - 


Forward Explicit Congestion Notification. The fifth bit in the second 


octet of the frame relay header. Used to inform a subscriber device of 
congestion in the forward direction. 
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filter 


flow control 


FMD 


FMH 


FOUND 


frame 


frame check sequence (FCS) 


Frame Relay 


FRMR 


Glossary 


Front-End Processor. The “traffic cop” of the data communications 
world. Typically sits in front of a computer and is designed to handle the 
telecommunications burden so the computer can concentrate on handling 
the processing burden. 


Format Identification. A field in the SNA Transmission header indicating 
the type of nodes participating in the conversation. LU 6.2 nodes are type 
2s 


The Sniffer analyzer uses several varieties of filters, including the 
following. (1) Capture filters. These filters determine which arriving 
frames the analyzer discards and which it retains. (2) Display filters. 
These filters determine which frames in the capture buffer will be 
displayed. Eliminating a frame from display with a display filter does not 
remove the frame from memory. Rather, it simply removes the frame 
from display. 


Hardware or software mechanisms used in data communications to tum 
off transmission when the receiving workstation is unable to store the 
data it is receiving. Various methods of regulating the flow of data during 
a conversation. Buffers are an example of flow control. 


Function Management Data. A class of data embedded at the start of 
SNA RUs. 


Function Management Header. The header part of SNA FMD containing 
addressing and transmission control information. 


Foundation Services. A protocol within DECnet used for primitive 
terminal-handling services. Interpreted in the DECnet PI suite. 


The multi-byte unit of data transmitted at one time by a station on the 
network; synonymous with Packet. 


In bit-oriented protocols, a 16-bit field added to the end of a frame that 
contains transmission error-checking information. 


A streamlined access protocol commonly used for LAN interconnectivity. 
Frame Reject. An LLC command or response indicating that a previous 


frame had a bad format and is being rejected. The FRMR frame contains 
five bytes of data explaining why and how the previous frame was bad. 
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Front-End Processor 


FRP 


FS 


FTAM 


functional address 


gateway 


GGP 


GUI 


handshaking 


HDLC 


Glossary 


, See “FEP.” 


Fragmentation Protocol. Breaks up and reassembles network-layer 
packets so that they are acceptable to the data-link protocol and the 
underlying physical medium; used on networks whose physical medium is 
ARCNET. Interpreted in the Banyan VINES PI suites. 


Frame status. A byte appended to a token ring network frame following 
the CRC. It contains the Address Recognized and Frame Copied bits. 


File Transfer, Access and Management. An application-level protocol 
within the ISO suite, on top of ACSE. 


File Transfer Protocol. 

(1) A protocol based on TCP/IP for reliable file transfer. Interpreted in 
the TCP/IP PI suite. 

(2) A protocol transmitted by a Matchmaker frame in Banyan VINES. 


A limited broadcast destination address for IEEE 802.5 token ring 
networks. Individual bits in the address specify attributes that stations 
eligible to receive the frame should have. Similar to “multicast address.” 


In the general sense, a gateway is a computer that connects two different 
networks together. Usually, this means two different kinds of networks, 
such as SNA and DECnet. In TCP/IP terminology, however, a gateway 
connects two separately administered subnetworks, which may or may 
not be running the same networking protocols. 


Gateway-to-gateway protocol. A protocol within TCP/IP used to 
exchange routing information between IP gateways and hosts. 
Interpreted in the TCP/IP PI suite. See also EGP. 


Graphical User Interface, pronounced “gooey”. An operating system or 
environment that displays options on the screen as icons, or picture 
symbols. 


The electrical exchange of predetermined signals when a connection is 
made between two devices carrying data. Just as people shake hands 
when they meet, computers must go through a procedure of “greeting” 
the opposite party and preparing for communications. 


High-level Data Link Control. A standard bit-oriented protocol 
developed by the International Standards Organization (ISO). In HDLC, 
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aT 


Poet 


FN 


header 


hop 


hub 


ICMP 


ICP 


IDP 


IEEE 


IGRP 


IONET 


Glossary 


control information is always placed in the same position. Specific bit 
patterns used for control differ dramatically from those used to represent 
data, minimizing errors. Many internetworking companies (such as Cisco 
and Vitalink) have developed proprietary versions of HDLC, which the 
Sniffer Internetwork Analyzer can decode. 


The beginning portion of a message which contains destination address, 
source address, message-numbering, and other information. The header 
helps direct the message along its journey. Different protocols implement 
headers in different ways. 


A term used in routing. A hop is one data link. A path to the final 
destination on a net is a series of hops away from the origin. Each hop 
has a cost associated with it, allowing the calculation of a least cost path. 


A concentrator and repeater for the network. Generally speaking, a hub 
is a central point for wiring or computing in a network. For StarLAN, it 
is more properly known as a Network Hub Unit or as a Network 
Extension Unit. 


Information. An LLC, HDLC, or SDLC frame type used to send 
sequenced data that must be acknowledged. 


Internet Control Message Protocol. A protocol within TCP/IP used 
principally to report errors in datagram transmission. Interpreted in the 
TCP/IP PI suite. 


Internet Control Protocol. Used to broadcast notification of errors and to 
note changes in network topology in Banyan VINES. Interpreted in XNS 
PI suite. 


Intemet Datagram Protocol. Delivers to an internet address a single 
frame as an independent entity, without regard to other packets or to the 
addressee’s response. 


Institute of Electrical and Electronics Engineers, Inc. Standards 
documents are available from them at 345 East 47th Street, New York, 
NY 10017. 


Interior Gateway Routing Protocol. Cisco routing protocol designed for 
campus-wide use, as opposed to wide-area use. 


Input/Output Network. A device message protocol used by Datapoint. 
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IPC 


IPX 


IS 


ISDN 


ISO 


ISODE 


ISO IP 


KSP 


LAN 


Glossary 


Internet Protocol. The lowest-level protocol under TCP/IP that is 
responsible for end-to-end forwarding and long packet fragmentation 
control. Interpreted in the TCP/IP PI suite. A similar protocol is 
interpreted in the Banyan VINES PI. See also the IPX and ISO IP 
protocols. 


Interprocess Communication Protocol. A transport-level protocol in 
Banyan VINES, providing reliable message service and unreliable 
datagram service. Interpreted in the Banyan VINES PI suite. 


Internet Protocol. Novell’s implementation of Xerox Internet Datagram 
Protocol. Interpreted in the Novell NetWare PI suite. 


1. International Standard. The final phase for an ISO protocol definition. 
At this point, the protocol is fully specified and guaranteed not to change. 
2. Intermediate System. An OSI term for a system that originates and 
terminates traffic, and that also forwards traffic to other systems. 


Integrated Services Digital Network. A digital telephone technology that 
combines voice and data services on a single circuit. Source of many 
ideas for frame relay networking. 


International Organization for Standardization (or International 
Standards Organization). 

(1) A consortium that is establishing a suite of networking protocols; 
(2) The protocols standardized by that group. 


ISO Development Environment. Protocol for transmitting higher-level 
ISO protocols over a network whose lower levels are handled by 
TCP/IP. Interpreted in the TCP/IP and ISO PI suites. 

The ISO standard Internet Protocol. Interpreted in the ISO PI suite. 
Kiewit Stream Protocol. A transport protocol resembling TCP developed 
at Dartmouth College for the support of terminal emulators connected to 


AppleTalk networks; interpreted in the AppleTalk PI suite. 


Local Area Network. The hardware and software used to connect 
computers together in a limited geographical area. 
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Famed 


a, 


oo 


meet 


LAP 


LAPB 


LAST 


LAVC 


LLAP 


LAT 


leased line 


link protocol 


LLC 


LMI 


LOOP 


LSA 


LU 6.2 


Glossary 


Link Access Protocol. The logical level protocol for AppleTalk. It exists 
in two variants: ELAP (for Ethernet) and LLAP (for LocalTalk 
networks). Interpreted in the AppleTalk PI. 


Link Access Protocol, Balanced. A subset of HDLC. 


Local Area System Transport. Protocol for remote booting in 
DECnet/DOS. 


Local Area Vax Cluster. An adaptation of the System Communication 
Architecture (SCA) to run over the Ethernet instead of a CI bus. Used to 
enable MicroVAXs to operate as diskless nodes. 


See LAP. 


Local Area Transport. The DECnet protocol that handles multiplexed 
terminal (keyboard and screen) traffic to and from timesharing hosts. 
Interpreted in the DECnet PI suite. 


Same as a leased circuit, dedicated circuit, or leased channel. A telephone 
line rented for exclusive continuous use. Commonly used to connect 
LANs remote from one another. 


The set of rules by which a logical data link is set up and by which data 
transfers across the link. Includes formatting of the data. 


Logical Link Control. A protocol that provides connection control and 
multiplexing to subsequent embedded protocols; standardized as IERE 
802.2 and ISO/DIS 8802/2. 


Local Management Interface. An access signaling protocol defined for 
Frame Relay circuits. LMI carries information on the status of PVCs 
between the network and a subscriber device. Optional additions to LMI 


include multicasting, global addressing, and flow control. 


Loopback protocol. A protocol under Ethernet for sending diagnostic 
probe messages. 


Lost Subarea. An SNA error condition. 


Logical Unit 6.2. A subset of the SNA protocols used for peer-to-peer 
communications between computers. 
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LUSTAT 


MAC 


Mail Service 


Manchester encoding 


MAP 


Matchmaker 


MAU 


MIB 


MIC 


modem 


MOP 


Glossary 

Comet 
Logical Unit Status. An SNA message used to send status information. 

-~ 
Medium Access Control. The protocol level that describes network 
management frames sent on the 802.5 token ring. Most MAC frames are = 
handled transparently by the network adapter. 
Protocol used (in conjunction with StreetTalk) for the transmission of “™ 
messages in the VINES distributed electronic mail system. Interpreted in 
the Banyan VINES PI suite. —_ 


A data encoding technique that uses a transition at the middle of each bit — 
period that serves as a clock and also as data. 


Manufacturing Automation Protocol. A multilayer networking protocol 
developed primarily by General Motors for manufacturing control 
applications. 


Protocol used by the VINES service that provides high-level program-to- 
program communication, including translation as necessary to match the 
conventions of sender’s and receiver’s formats. Matchmaker is descended 
from XNS Courier. Interpreted in the Banyan VINES PI suite. 


Multiple Access Unit (also Medium Attachment Unit). The wiring 
concentrator or transceiver used for attaching stations connected to the 
network. 


Management Information Data Base. The structured database of network ~~» 
statistical information used by the SNMP and CMIP protocols. 

FN 
Media Interface Connector. An optical fiber connector pair that links the 
fiber media to the FDDI node or another cable. 


A contraction of modulate and demodulate; a conversion device installed 
in pairs at each end of an analog communications line. The modulator 
part of the modem codes digital information onto an analog signal by 
varying the frequency of the carrier signal. The demodulator part extracts <> 
digital information from a modulated carrier signal. 


comma 


FN 
Maintenance Operations Protocol. A protocol under DECnet for remote 


testing and problem diagnosis. Interpreted in the DECnet PI suite. 
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MOUNT 


multicast 


multiplexing 


N(R) 


N(S) 


NC 


NCP 


NetBIOS 


Glossary 


A protocol developed by Sun Microsystems that provides request access 
checking and user validation. It is used in conjunction with NFS. 
Interpreted in the Sun PI suite. 


(1) A message directed to a group of stations on a network or collection 
of networks (contrast with broadcast). 
(2) A destination address that designates such a subset. 


Sending several signals over a single line and separating them at the other 
end. 


Receive sequence number. An LLC or HDLC field for I frames that 
indicates the sequence number of the next frame expected; all frames 
before N(R) are thus implicitly acknowledged. 


Send sequence number. An LLC or HDLC field for I frames that 
indicates the sequence number of the current frame within the 
connection. 


(1) Name-Binding Protocol. Used in AppleTalk networks to permit 
network users to use character names for network services and sockets. 
NBP translates a character-string name within a zone into the 
corresponding socket address. Interpreted in the AppleTalk PI suite. 
(2) NetBIOS Protocol. Used in 3Com 3+ Open software. Interpreted in 
the XNS PI suite. 


Network Control. An SNA subprocess. 


NetWare Core Protocol. Novell’s application-level protocol for the 
exchange of commands and data between file servers and workstations. 
Interpreted in the Novell NetWare PI suite. 


Network Disk. A protocol within the Sun NFS family used to access 
virtual disks located remotely across the network. Interpreted in the 
TCP/IP PI suite. 


Network Basic I/O System. 

(1) A protocol implemented by the PC LAN Program to support 
symbolically named stations and the exchange of arbitrary data. 

(2) The programming interface (API) used to send and receive NetBIOS 
messages. 
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Glossary 


_ There exist several different and incompatible implementations of 
NetBIOS, and separate PIs for them, as, for example, in the IBM and the 


TCP/IP PI suites. 
NETBLT Network Block Transfer. A protocol within earlier versions of TCP/IP. Se 
Not interpreted in the TCP/IP PI suite. 
li 
NetWare The networking system designed by Novell Inc. and the protocols used 
therein. — 
Network Management 1. A general term describing the protocols and applications used to Ps 
manage networks. 
2. A protocol transmitted by a Matchmaker frame in Banyan VINES. = 
network object The Expert Sniffer analyzer creates network objects by performing 
multilevel protocol analysis on the frames that pass through its real-time “™ 
protocol interpreters. In this way, the Expert analyzer can distill a 
relatively small number of network objects from the huge body of _ 
information it processes. Network objects can be any of the following: a 
DLC station, a network station, a connection, an application, or a pay 
subnetwork. 
network topology The geography of a network. Examples of network geographies include 
ring, bus, and star. 
NEU Network Extension Unit. A concentrator and repeater for StarLAN 
networks. o~ 
NFS Network File System. A protocol developed by Sun Microsystems for 
requests and responses to a networked file server. Interpreted in the Sun 
PI suite. oy 
NGCP Network General Control Protocol. Network General Corporation 
protocol used for communications between Distributed Sniffer System “ 
consoles and servers. 
NHU Network Hub Unit. A concentrator and repeater for StarLAN networks. 
a, 
NICE Network Information and Control Exchange. The DECnet protocol for 
network management. Interpreted in the DECnet PI suite. a 
NIF Neighbor Information Frame. Used by stations on an FDDI ring to 
FN 


announce their addresses to downstream neighbors. 
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NIS 


nodes 


NRZ 


NRZI 


NSP 


null modem 


octet 


OpenNET 


OSI 


overhead 


packet 


packet switching 


Glossary 


Network Information Services. Previously known as “Yellow Pages.” A 
set of services in the Network File System that propagate information 
from masters to recipients. Used for the maintenance of system files on 
complex networks. 


Points in a network where service is provided, service is used, or 
communications channels are interconnected. “Node” is sometimes used 
interchangeably with “workstation.” 


Non-return to Zero. 


Non-return to Zero Inverted. A binary encoding scheme that inverts the 
signal on a “one” and leaves the signal unchanged for a “zero.” The 
Sniffer Internetwork Analyzer can interpret both NRZ and NRZI, but 
you must set the correct option in the Options menu. 


Network Services Protocol. The DECnet protocol that provides reliable 
message transmission over virtual circuits. Interpreted in the DECnet PI 
suite. 


A cross-pinned cable used for DTE to DTE communications. Sometimes 
called a modem eliminator. 


A string of eight bits. Synonymous with Byte. 


A networking system from the Intel Corporation that uses parts of the 
OSI standards and components of the Microsofv/IBM PC LAN program. 
Interpreted in the ISO PI suite. 


Open Systems Interconnection. A generalized model of a layered 
architecture for the interconnection of systems. 


In data communications, all information found on the network at a given 
time. Includes control, routing, and error-checking characters, in addition 
to user-transmitted data. 


The multi-byte unit of data transmitted at one time by a station on the 
network. Synonymous with Frame. 


A method for sending data in packets through a network to some remote 
location. The data to be sent is subdivided into individual packets of data, 
each having a unique identification and carrying its destination address. 
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PAD 


PAP 


parallel interface 


parity 


parity bit 


patch panel 


PC*I 


PCF 


PDU 


PEP 


Glossary 


This way, each packet can go by a different route, possibly arriving in a 
different order than it was shipped. The packet ID allows the datatobe 
reassembled in proper sequence. 


Packet Assembler Disassembler. Special purpose computer on an X.25 
network that allows asynchronous terminals to use the synchronous X.25 
network by packaging asynchronous traffic into a packet. -_ 
Printer Access Protocol. A protocol within AppleTalk that uses ATP XO 
commands to create a stream-like service for communication between 

user stations and the Apple LaserWriter or similar stream-based devices. 
Interpreted in the AppleTalk PI suite. 


An interface which permits parallel transmission, or simultaneous 
transmission of the bits making up a character or byte, either over 
separate channels or on different carrier frequencies of the same channel. 


A process for detecting whether bits of data have been altered during —_ 
transmission of that data. 


A binary bit appended to an array of bits to make the sum of the bits 
always odd or always even. Used with a parity check for detecting errors 
in transmitted binary data. 


A device in which temporary connections can be made between incoming “™ 
and outgoing lines. Used for modifying or reconfiguring a 

communications system or for connecting test instruments (such as the 
Sniffer Network Analyzer) to specific lines. 


. 
Personal Computer Integration. Data General’s nomenclature for their 
networking system. Protocols used include the ISO IP and TP4 levels 
and the Microsoft/IBM PC LAN program SMB protocols. Interpreted in 
the ISO PI suite. 
Physical Control Fields. The part of the token ring DLC header that 
includes the AC and FC fields. —— 
Protocol Data Unit. The data delivered as a single unit between peer ee 
processes on different computers. 
Packet Exchange Protocol. A protocol within the XNS family used to 
exchange datagrams. Interpreted in the XNS/MS-Net PI suite. 

Lo, 
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PI 


PING 


PMAP 


port 


preamble 


protocol 


protocol interpreter 


PUP 


PVC 


RAM 


Glossary 


Protocol Interpreter. A program that knows the frame format and 
transaction rules of a communications protocol and can decode and 
display frame data. 


A TCP/IP tool supplied with TCP/IP Distributed Sniffer System. PING is 
a diagnostic utility that sends ICMP Echo Request messages to a specific 
IP address on the network. 


Port Mapper. A protocol developed by Sun Microsystems for mapping 
RPC program numbers to TCP/IP port numbers. Interpreted in the Sun 
PI suite. 


The physical access point to a computer, multiplexor, device, or network 
where signals may be sent or received. 


A fixed data pattern transmitted before each frame to allow receiver 
synchronization and recognition of the start of a frame. 


A specific set of rules, procedures, or conventions governing the format 
and timing of data transmission between two devices. 


The Sniffer analyzer uses its protocol interpreters to identify the 
protocols nested within each frame and interpret their contents. 

PARC Universal Packet. A type of Ethernet packet formerly used at the 
Xerox Corporation’s Palo Alto Research Center. Interpreted in the 
XNS/MS-Net and the TCP/IP PIs but not included in their protocol 
diagrams since no longer in regular use. 


Permanent Virtual Circuit. A unique, predefined logical path between 
two endpoints of a network. 


Random Access Memory. A chip or collection of chips where data can be 
entered, read, and erased. RAM is the fastest memory device, but loses 
its memory when power is shut off. 


Reverse Address Resolution Protocol. A protocol within TCP/IP for 
finding a node’s IP address given its DLC address. Interpreted in the 
TCP/IP PI suite. 


Reliable datagram protocol. A protocol within an earlier version of 
TCP/IP. Not interpreted in the TCP/IP PI suite. 
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a, 
REJ Reject. An LLC frame type that requests retransmission of previously 
sent frames. Se 
REM Ring Error Monitor. A station on the 802.5 token ring network that — 
collects MAC-level error messages from the other stations. a 
repeater A device inserted at intervals along a circuit to boost, amplify, and/or “™ 
regenerate the signal being transmitted. 
RFC Request For Comment. Designation used in DoD/TCP protocol research 
and development. ae 
RG-58 The designation for 50-ohm coaxial cables used by Cheapernet (thin 
Ethernet). 
RG-59 The designation for 75-ohm coaxial cables used by PC Network o~ 
(broadband). 
oo 
RG-62 The designation for 93-ohm coaxial cables used by ARCNET. 
aN 
RGBI Red-Green-Blue-Intensity. An interface used for attaching a color 
monitor to a personal computer; DB-9 connectors are typically used. 
RH Request/response header. An SNA control field prior to a Request Unit 
or Response unit. ao 
RI Routing Information. A protocol at the logical link level for devices — 
operating on the token ring. Interpreted by the token ring and Ethernet 
Distributed Sniffer_ System independent of other PIs. die 
RII Routing Information Indicator. If the first bit in the source address field 
of a token ring frame is 1, then the data field begins with Routing = 
Information. Interpreted by the token ring and Ethernet Distributed | 
Sniffer_ System independent of other PIs. 
RIP Routing Information Protocol. A protocol within the XNS and TCP/IP 
families used to exchange routing information among gateways. — 
Interpreted in the XNS PI suite and in the TCP/IP PI suite. 
Pm 
RJ-45 The designation for the 8-wire modular connectors used for StarLAN 
and 10BASE-T networks. It is similar to, but wider than, the standard re 
(RJ-11) telephone modular connectors. 
La 
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RMS 


RNR 


router 


RS-232C 


RSTAT 


RTMP 


RTP 


RU 


Glossary 


Resource Management System. A set of protocols used by Datapoint to 
communicate from client stations to servers. 


Receive Not Ready. An LLC and HDLC command or response 
indicating that transmission is blocked. 


(1) An internet linking device operating at network layer 3. 
(2) A protocol transmitted by a Matchmaker frame in Banyan VINES. 


Remote Procedure Call. A protocol for activating functions on a remote 
station and retrieving the result. Interpreted in the Sun PI suite. A similar 
protocol exists in Xerox XNS. 


Remote Program Load. A protocol used by IBM on the IEEE 802.5 
token ring network to download initial programs into networked stations. 
Interpreted in the IBM PI suite. 


Ring Parameter Server. A station on a token ring network that maintains 
MAC-level information about the LAN configuration such as ring 
numbers and physical location identifiers. 


Receive ready. An LLC non-data frame indicating readiness to receive 
data from the other station. 


Recommended Standard 232. EJA standard defining electrical 
characteristics of the signals in the cables that connect a DTE and a DCE. 


Remote status. A protocol with the Sun NFS family used to exchange 
statistics on network activity. Interpreted in the Sun PI suite. 


Routing Maintenance Protocol. Used in AppleTalk networks to allow 
routers dynamically to discover routes to the various networks of an 
internet. A node that is not a router uses a subset of RTMP (the RTMP 
stub) to determine the number of the network to which it is connected 
and the node IDs of routers on its network. Interpreted in the AppleTalk 
protocol interpreter. 


Routing Update Protocol. Used to distribute network topology 
information. Interpreted in the Banyan VINES PI suite. 


Request Unit/Response unit. The part of an SNA frame after the RH that 
contains the details of a request or its response. 
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SABME 


SAC 


SAP 


SAS 


SBI 


SC 


SCP 


SCSI 


Glossary 


_ Remote Unix. A protocol atop TCP/IP for issuing remote requests over 


the network to a UNIX host. 


Supervisory. An LLC, HDLC, or SDLC frame type used for control 
functions. 


Set Asynchronous Balanced Mode. An LLC non-data frame requesting 
the establishment of a connection over which numbered I frames may be 
sent. 


Set Asynchronous Balanced Mode (Extended). SABM with two more 
bytes in the control field. Used in LAPB. 


Single Attachment Concentrator. A concentrator that offers one S port 
for attachment to the FDDI network and M ports for the attachment of 
stations or other concentrators. 


Service Access Point. 

(1) A small number used by convention or established by a standards 
group, that defines the format of subsequent LLC data; a means of 
demultiplexing alternative protocols supported by LLC. 

(2) Service Advertising Protocol. Used by NetWare servers to broadcast 
the names and locations of servers and to send a specific response to any 
station that queries it. 


Single Attachment Station. An FDDI station that offers one S port for 
attachment to the FDDI ring. 


Stop Bracket Initiation. An SNA message sent to request that the other 
station not initiate any more brackets. 


Session Control. An SNA subprocess for establishing and maintaining 
connections. 


Session Control Protocol. The DECnet protocol concerned with the 
establishment of virtual circuits over which NSP transfers data; 
interpreted in the DECnet PI suite. 


Small Computer Standard Interface. Pronounced “scuzzy.” A standard 


for connecting disk drives to disk controllers, used typically in small 
multiuser computers. 
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a, 


FS 


o, 


SDLC 


semaphore 


serial interface 


SESSION 


Sever 


SIF 


SIG 


SMB 


SMT 


SMTP 


SNA 


SNAP 


Glossary 


Synchronous Data Link Control. An older serial communications 
protocol that was the model for LLC and with which it shares many 
features. 


A synchronization mechanism on an operating system. 


An interface which requires serial transmission, or the transfer of 
information in which the bits composing a character are sent sequentially. 
Implies only a single transmission channel. 


Name for the session-level protocol in the ISO series, interpreted in the 
ISO PI suite. 


A protocol transmitted by a Matchmaker frame in Banyan VINES. 


Status Information Frame. Used by stations on an FDDI ring to exchange 
information about station configuration and operating parameters. 


Signal. A high-priority SNA message used to request permission to send. 


Server Message Block. A message type used by the IBM PC LAN 
Program and LAN Manager to make requests from a user station to a 
server and receive replies. Many of the functions are similar to those 
made by an application program to DOS or to OS/2 running on a single 
computer. Interpreted in the IBM, XNS, TCP/IP, ISO, DECnet, and 
Banyan VINES PI suites. 


Station Management. Provides ring management, connection 
management, and SMT frame services for an FDDI ring. 


Simple Mail Transfer Protocol. A protocol within TCP/IP for reliable 
exchange of electronic mail messages. Interpreted in the TCP/IP PI suite. 


Systems Network Architecture. A complex set of protocols used by IBM 
for network communications, particularly with mainframe computers. 
Interpreted in the IBM PI suite. 


Sub-Network Access Protocol (also sometimes called Sub-Network 
Access Convergence Protocol). An extension to IEEE 802.2 LLC that 
permits a station to have multiple network-layer protocols. The protocol 
specifies that DSAP and SSAP addresses must be AA hex. A field 
subsequent to SSAP identifies one specific protocol. Interpreted in the 
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SPP 


SPP 


Glossary 
-~ 
TCP/IP PI suite and the AppleTalk PI suite. (See RFC 1042 for further 
information on SNAP.) Se 


The Distributed Sniffer System_ (DSS) client that communicates with the aa 
DSS Sniffer Servers from any point on the network. The Console 
delivers instructions to the Server and reads the output of the Server’s 


analysis. The Console is a computer that uses proprietary software and “™ 
hardware. The proprietary hardware is a network interface card called a 
Transport Card for communicating over the network with Servers. _ 


The Distributed Sniffer System (DSS) server that captures and analyzes 
packet level network data under instructions from the client, a DSS 
SniffMaster Console. The Server is a computer that uses proprietary 


software and hardware. The Sniffer Server’s analysis applications are a 
based on the Sniffer network analyzer and the Advanced Network 

Monitor. The Server uses two network interface cards: a Transport Card “™ 
that supports communication with Consoles and a Monitor card that is 

used to capture frames and collect statistics from the network. — 


Simple Network Management Protocol. Interpreted in the TCP/IP PI Pe 
suite. 


Set Normal Response Mode. Place a secondary station in a mode that 
precludes it from sending unsolicited frames. The primary station controls 
all message flow. Used in SDLC. o 


Set Normal Response Mode (Extended). SNRM with two more bytes in —™ 
the control field. Used in SDLC. 


_, 
A logically addressable entity or service within a node, serving as a more 
precise identification of sender or recipient. as 
A method of creating a loop-free logical topology on an extended LAN. 
Formation of a spanning tree topology for transmission of messages = 
across bridges is based on the industry-standard spanning tree algorithm 
defined in IEEE 802.1d. o- 
Sequenced Packet Protocol. A virtual-circuit connection-oriented on 
protocol in XNS. 
Sequenced Packet Protocol. a 

FN 


page 26 


SPX 


SQE 


SQE TEST 


SS7 


SSAP 


SSCP 


StarLAN 


StreetTalk 


SUA 


subnet 


Glossary 


(1) The XNS protocol that supports reliable connections using sequenced 
data; interpreted in the XNS PI suite. A variant called SPX is used in 
Novell NetWare. 

(2) The transport-level protocol that provides virtual connection service 
in Banyan VINES, based upon the protocol of the same name in XNS. 
Interpreted in the Banyan VINES PI suite. 


Sequential Packet Exchange. Novell’s version of the Xerox protocol 
called SPP. Interpreted in the Novell NetWare PI suite. 


Signal Quality Error. The 802.3/Ethernet collision signal from the 
transceiver. 


The SQE signal generated by the transceiver at the end of a transmitted 
frame to check the SQE circuitry. Also known as heartbeat in Ethernet. 


Signaling System 7. Protocol related to ISDN. Directs how the interior 
of an ISDN network is managed. 


Source Service Access Point. The LLC SAP for the protocol used by the 
originating station. 


System Services Control Point. An SNA identification of 
communications management functions. 


A network developed by AT&T Bell Labs and based upon a derivative of 
the CSMA/CD (Ethernet) network standard originally developed by 
Xerox; similar to (and often used interchangeably with) the IEEE 802.3 
standard. 


Protocol used in Banyan VINES to maintain a distributed directory of the 
names of network resources. In VINES names are global across the 
internet and independent of the network topology. Interpreted in the 
Banyan VINES PI suite. 


Stored Upstream Address. The network address of a token ring station’s 
nearest upstream neighbor. Texas Instruments calls this the UNA (see 
Upstream Neighbor Address). 


A term used to denote any networking technology that makes all nodes 


connected to it appear to be one hop away. In other words, the user of 
the subnet can communicate directly to all other nodes on the subnet. A 
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collection of subnets together with a routing or network layer combine to 


form a network. -~ 
SVC Switched Virtual Circuit. A virtual circuit that is set up on demand, as in 

the case of a dial-up telephone line, or an X.25 call. 
symptom An abnormal or unusual network event which the Expert analyzer. ao 
T1 A digital transmission link with a capacity of 1.544 Mbits/sec. a 
Talk A protocol transmitted by a Matchmaker frame in Banyan VINES. = 
TC Transmission Control. An SNA subprocess. ren 
TCP Transmission Control Protocol. The connection-oriented byte-stream 

protocol within TCP/IP that provides reliable end-to-end communication “™ 

by using sequenced data sent by IP. Interpreted in the TCP/IP PI suite. 

Feat 


TCPAP Transmission Control Protocol/Internet Protocol. A suite of networking 
protocols developed originally by the US Government for Arpanetand 
now used by several LAN manufacturers. The individual TCP/IP 
protocols are listed separately in this Glossary. 


Telnet Protocol for transmitting character-oriented terminal (keyboard and 
screen) data. Interpreted in the TCP/IP PI suite. am~ 
terminator A resistive connector used to terminate the end of a cable or an unused «© 
tap into its characteristic impedance. The terminator prevents 
interference-causing signal reflections from the ends of the cable. —m 
TFTP Trivial File Transfer Protocol. A protocol within TCP/IP used to = 
exchange files between networked stations. Interpreted in the TCP/IP PI © 
suite. 
a, 
TH Transmission header. The initial part of an SNA frame immediately 
following the LLC header. ao 
THT Token Holding Timer. The maximum length of time a station holding the 
token can initiate asynchronous transmissions. The THT is initialized 
with the value corresponding to the difference between the arrival of the 
token and the TTRT (FDDI). 
Feat 
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token bus 


token ring 


trigger 


TRLR 


TRT 


TS 


TSR 


TTRT 


TVX 


Glossary 


A small message used in some networks to represent the permission to 
transmit; it is passed from station to station in a predefined sequence. 


A type of LAN where all stations can hear what any station transmits and 
where permission to transmit is represented by a token sent from station 
to station. 


A type of LAN where stations are wired in a ring and each can directly 
hear transmissions only from its immediate neighbor. Permission to 
transmit is granted by a token that circulates around the ring. 


Transport-level Protocol. It exists in alterate forms, depending on how 
the services it assumes are provided to it by the network level below it. 
TP 0 assumes that the connection is maintained at the lower level, while 
TP 4 assumes a connectionless network protocol, so that functionality for 
the establishment and maintenance of a connection are included in the 
transport protocol. Levels 0, 2, and 4 are interpreted in the ISO PI suite. 


A Sniffer analyzer feature that allows a user to define an event after 
which the analyzer will stop capture to ensure that frames preceding or 
following the event are retained in the capture buffer. 


Trailer format. Variant of IP in which the protocol headers follow rather 
than precede the user data. 


Token Rotation Timer. A clock that times the period between the receipt 
of tokens (FDDI). 


Transmission Services. An SNA subprocess. 


Terminate and Stay Resident. A DOS program that once loaded into 
RAM, remains there in the background until unloaded or power is shut 
off. 


Target Token Rotation Timer. The value used by the MAC receiver to 
time the operations of the MAC layer. The TTRT value varies depending 
on whether or not the ring is operational (FDDI). 


Valid Transmission Timer. A timer that times the period between valid 


transmissions on the ring; used to detect excessive ring noise, token loss, 
and other faults (FDDI). 
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UI 


UNA 


UNIX 


VINES 


virtual circuit 


VMTP 


VTP 


V.35 


WAN 


X.25 


X.400 


X.500 


XID 


Glossary 


_ Unnumbered Acknowledgment. An LLC frame that acknowledges a 


previous SABME or DISC request. 


User Datagram Protocol. A protocol within TCP/IP for sending 
unsequenced data frames not otherwise interpreted by TCP/IP. 


Unnumbered Information. An LLC, HDLC, or SDLC frame type used to 
send data without sequence numbers. 


Upstream Neighbor Address. The network address of a token ring 
station’s nearest upstream neighbor. IBM calls this the SUA (see Stored 
Upstream Address). 

A popular portable operating system written by AT&T. 

Virtual NEtwork Software. The networking operating system developed 
by Banyan Systems Inc., and the protocols used therein. Notable 


components are StreetTalk and MatchMaker. 


A communications link that appears to be a dedicated point-to-point 
circuit. 


Versatile Message Transaction Protocol (proposed). 

Virtual Terminal Protocol. 

A CCITT wideband interface recommendation for WANs. 

Wide Area Network. A collection of LANs, or stations and hosts, 
extending over a wide area that can be connected via common carrier or 
private lines. Typically, transmission speeds are lower on a WAN than on 


aLAN. 


A CCITT recommendation that defines the standard communications 
interface for access to packet-switched networks. 


ISO standard protocol for electronic mail. Interpreted in the ISO PI suite. 
ISO standard protocol for directory services. Similar to DNS and NIS. 


Exchange Identification. An LLC unnumbered frame type used to 
negotiate what LLC services will be used during a connection. 
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ii. 


— 


La 


XNS 


X Windows 


ZIP 


Zone 


Glossary 


Xerox Network Systems. A family of protocols standardized by Xerox; 
in particular the Internet Transport Protocols. 


Protocol for the management of high-resolution color windows at 
workstations, originated by MIT, DEC, and IBM and subsequently 
transferred to a consortium of vendors and developers. 


Yellow Pages. A protocol developed by Sun Microsystems for 
implementing a distributed resource look-up database; similar in function 
to DNS. Interpreted in the Sun PI suite. Now called “NIS.” 


Zone Information Protocol. Used in AppleTalk to maintain an internet- 
wide mapping of networks to zone names. ZIP is used by the Name- 
Binding Protocol (NBP) to determine which networks belong to a given 


zone. Interpreted in the AppleTalk PI suite. 


In AppleTalk networks, a set of one or more nodes within an internet. 
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